Resubmissions

01-11-2024 12:33

241101-pradyaypdv 10

27-10-2024 23:08

241027-24hmasskhj 10

20-10-2024 16:28

241020-tyzdvsxgqb 3

20-10-2024 16:26

241020-tx2gtszekk 3

02-10-2024 11:53

241002-n2j6fsycqb 3

13-09-2024 04:59

240913-fmwxpswcpb 3

11-09-2024 15:54

240911-tcmg6sygmm 3

11-09-2024 15:53

240911-tbsmsszbnh 10

25-08-2024 22:53

240825-2t6als1gll 10

Analysis

  • max time kernel
    477s
  • max time network
    483s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 22:59

General

  • Target

    dl2.exe

  • Size

    849KB

  • MD5

    c2055b7fbaa041d9f68b9d5df9b45edd

  • SHA1

    e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06

  • SHA256

    342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3

  • SHA512

    18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc

  • SSDEEP

    12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • BazarBackdoor 64 IoCs

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload 1 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • ModiLoader First Stage 2 IoCs
  • Renames multiple (526) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Blocklisted process makes network request 10 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 11 IoCs
  • Executes dropped EXE 33 IoCs
  • Loads dropped DLL 20 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

    UAC Bypass Attempt via SilentCleanup Task.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 11 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • NTFS ADS 7 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dl2.exe
    "C:\Users\Admin\AppData\Local\Temp\dl2.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4400
  • C:\Users\Admin\AppData\Local\Temp\dl2.exe
    C:\Users\Admin\AppData\Local\Temp\dl2.exe {87911C0D-E644-4A0D-9804-AC9ACAB7CF2E}
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2576
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • BazarBackdoor
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa3a1e46f8,0x7ffa3a1e4708,0x7ffa3a1e4718
      2⤵
        PID:648
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        2⤵
          PID:1244
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3396
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
          2⤵
            PID:1444
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
            2⤵
              PID:516
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
              2⤵
                PID:4384
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
                2⤵
                  PID:1908
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
                  2⤵
                    PID:2020
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
                    2⤵
                      PID:212
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3856
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
                      2⤵
                        PID:904
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                        2⤵
                          PID:2992
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
                          2⤵
                            PID:5128
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
                            2⤵
                              PID:5308
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
                              2⤵
                                PID:5508
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5772 /prefetch:8
                                2⤵
                                  PID:5768
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:8
                                  2⤵
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5776
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
                                  2⤵
                                    PID:5984
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
                                    2⤵
                                      PID:6116
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
                                      2⤵
                                        PID:6128
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5492 /prefetch:8
                                        2⤵
                                          PID:5736
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
                                          2⤵
                                            PID:5744
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:8
                                            2⤵
                                              PID:5960
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:3860
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                                              2⤵
                                                PID:5956
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4048 /prefetch:8
                                                2⤵
                                                  PID:5540
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 /prefetch:8
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5892
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3720 /prefetch:2
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:4600
                                                • C:\Users\Admin\Downloads\NJRat.exe
                                                  "C:\Users\Admin\Downloads\NJRat.exe"
                                                  2⤵
                                                  • Drops startup file
                                                  • Executes dropped EXE
                                                  • Adds Run key to start application
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4848
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
                                                    3⤵
                                                    • Modifies Windows Firewall
                                                    • Event Triggered Execution: Netsh Helper DLL
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5644
                                                • C:\Users\Admin\Downloads\NJRat.exe
                                                  "C:\Users\Admin\Downloads\NJRat.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2544
                                                • C:\Users\Admin\Downloads\NJRat.exe
                                                  "C:\Users\Admin\Downloads\NJRat.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:6060
                                                • C:\Users\Admin\Downloads\NJRat.exe
                                                  "C:\Users\Admin\Downloads\NJRat.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5276
                                                • C:\Users\Admin\Downloads\NJRat.exe
                                                  "C:\Users\Admin\Downloads\NJRat.exe"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2192
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
                                                  2⤵
                                                    PID:3456
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6484 /prefetch:8
                                                    2⤵
                                                      PID:6096
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
                                                      2⤵
                                                        PID:5836
                                                      • C:\Users\Admin\Downloads\NetWire.exe
                                                        "C:\Users\Admin\Downloads\NetWire.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4964
                                                        • C:\Users\Admin\Downloads\NetWire.exe
                                                          "C:\Users\Admin\Downloads\NetWire.exe"
                                                          3⤵
                                                          • Loads dropped DLL
                                                          • Adds Run key to start application
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1812
                                                          • C:\Windows\SysWOW64\Notepad.exe
                                                            C:\Windows\System32\Notepad.exe
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:7032
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "
                                                              5⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:7220
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                reg delete hkcu\Environment /v windir /f
                                                                6⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry key
                                                                PID:8080
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
                                                                6⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry key
                                                                PID:8464
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                                                                6⤵
                                                                • Abuse Elevation Control Mechanism: Bypass User Account Control
                                                                • System Location Discovery: System Language Discovery
                                                                PID:8508
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                reg delete hkcu\Environment /v windir /f
                                                                6⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry key
                                                                PID:8588
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "
                                                              5⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:27308
                                                              • C:\Windows \System32\fodhelper.exe
                                                                "C:\Windows \System32\fodhelper.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:39040
                                                          • C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                            "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                            4⤵
                                                              PID:7712
                                                        • C:\Users\Admin\Downloads\NetWire.exe
                                                          "C:\Users\Admin\Downloads\NetWire.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1704
                                                          • C:\Users\Admin\Downloads\NetWire.exe
                                                            "C:\Users\Admin\Downloads\NetWire.exe"
                                                            3⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4380
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 240
                                                              4⤵
                                                              • Program crash
                                                              PID:5408
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
                                                          2⤵
                                                            PID:8828
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2024 /prefetch:8
                                                            2⤵
                                                              PID:8940
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
                                                              2⤵
                                                                PID:8784
                                                              • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                2⤵
                                                                • Checks computer location settings
                                                                • Drops startup file
                                                                • Executes dropped EXE
                                                                • Adds Run key to start application
                                                                • Drops desktop.ini file(s)
                                                                • Drops file in System32 directory
                                                                • Drops file in Program Files directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2092
                                                                • C:\Windows\system32\cmd.exe
                                                                  "C:\Windows\system32\cmd.exe"
                                                                  3⤵
                                                                    PID:7640
                                                                    • C:\Windows\system32\mode.com
                                                                      mode con cp select=1251
                                                                      4⤵
                                                                        PID:36544
                                                                      • C:\Windows\system32\vssadmin.exe
                                                                        vssadmin delete shadows /all /quiet
                                                                        4⤵
                                                                        • Interacts with shadow copies
                                                                        PID:27860
                                                                    • C:\Windows\system32\cmd.exe
                                                                      "C:\Windows\system32\cmd.exe"
                                                                      3⤵
                                                                        PID:39920
                                                                        • C:\Windows\system32\mode.com
                                                                          mode con cp select=1251
                                                                          4⤵
                                                                            PID:39236
                                                                          • C:\Windows\system32\vssadmin.exe
                                                                            vssadmin delete shadows /all /quiet
                                                                            4⤵
                                                                            • Interacts with shadow copies
                                                                            PID:39164
                                                                        • C:\Windows\System32\mshta.exe
                                                                          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                          3⤵
                                                                            PID:39732
                                                                          • C:\Windows\System32\mshta.exe
                                                                            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                                                            3⤵
                                                                              PID:39704
                                                                          • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                                            "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5332
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
                                                                            2⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:37184
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2220 /prefetch:8
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:37116
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:19224
                                                                          • C:\Users\Admin\Downloads\DeriaLock.exe
                                                                            "C:\Users\Admin\Downloads\DeriaLock.exe"
                                                                            2⤵
                                                                            • Drops startup file
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:36620
                                                                          • C:\Users\Admin\Downloads\DeriaLock.exe
                                                                            "C:\Users\Admin\Downloads\DeriaLock.exe"
                                                                            2⤵
                                                                            • Drops startup file
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:36524
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
                                                                            2⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:34096
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 /prefetch:8
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:33976
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:33208
                                                                          • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                            "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in Windows directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:32984
                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                              C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                              3⤵
                                                                              • Loads dropped DLL
                                                                              • Drops file in Windows directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:32804
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /c schtasks /Delete /F /TN rhaegal
                                                                                4⤵
                                                                                  PID:32672
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2836839790 && exit"
                                                                                  4⤵
                                                                                    PID:32488
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:24:00
                                                                                    4⤵
                                                                                      PID:32440
                                                                                    • C:\Windows\4479.tmp
                                                                                      "C:\Windows\4479.tmp" \\.\pipe\{6366A00B-1511-456F-A1E6-A3ECF266E7E8}
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:32372
                                                                                • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                  "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in Windows directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:32844
                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                    3⤵
                                                                                    • Loads dropped DLL
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:32592
                                                                                • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                  "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in Windows directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:31752
                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                    3⤵
                                                                                    • Loads dropped DLL
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:31568
                                                                                • C:\Users\Admin\Downloads\BadRabbit.exe
                                                                                  "C:\Users\Admin\Downloads\BadRabbit.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in Windows directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:31608
                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                                    3⤵
                                                                                    • Loads dropped DLL
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:31432
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                                                                                  2⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:31160
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1388 /prefetch:8
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:31108
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:8
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:30672
                                                                                • C:\Users\Admin\Downloads\$uckyLocker.exe
                                                                                  "C:\Users\Admin\Downloads\$uckyLocker.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Sets desktop wallpaper using registry
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:30476
                                                                                • C:\Users\Admin\Downloads\$uckyLocker.exe
                                                                                  "C:\Users\Admin\Downloads\$uckyLocker.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • Sets desktop wallpaper using registry
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:30356
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
                                                                                  2⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:30072
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
                                                                                  2⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:30020
                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                1⤵
                                                                                  PID:3192
                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                  1⤵
                                                                                    PID:1044
                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                    1⤵
                                                                                      PID:5592
                                                                                    • C:\Users\Admin\Downloads\DanaBot.exe
                                                                                      "C:\Users\Admin\Downloads\DanaBot.exe"
                                                                                      1⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6056
                                                                                      • C:\Windows\SysWOW64\regsvr32.exe
                                                                                        C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@6056
                                                                                        2⤵
                                                                                        • Loads dropped DLL
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:5264
                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                          C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
                                                                                          3⤵
                                                                                          • Blocklisted process makes network request
                                                                                          • Loads dropped DLL
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2072
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 464
                                                                                        2⤵
                                                                                        • Program crash
                                                                                        PID:2240
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6056 -ip 6056
                                                                                      1⤵
                                                                                        PID:5420
                                                                                      • C:\Users\Admin\Downloads\NJRat.exe
                                                                                        "C:\Users\Admin\Downloads\NJRat.exe"
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:5376
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380
                                                                                        1⤵
                                                                                          PID:3008
                                                                                        • C:\Windows\system32\AUDIODG.EXE
                                                                                          C:\Windows\system32\AUDIODG.EXE 0x404 0x33c
                                                                                          1⤵
                                                                                            PID:6528
                                                                                          • C:\Windows\system32\vssvc.exe
                                                                                            C:\Windows\system32\vssvc.exe
                                                                                            1⤵
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:39988
                                                                                          • C:\Windows\system32\werfault.exe
                                                                                            werfault.exe /h /shared Global\a2319400183a4c129bafc9934aea2b16 /t 39724 /p 39732
                                                                                            1⤵
                                                                                              PID:37968
                                                                                            • C:\Windows\system32\werfault.exe
                                                                                              werfault.exe /h /shared Global\05d8d50b2259442cb4cc88cc4fe124ff /t 39696 /p 39704
                                                                                              1⤵
                                                                                                PID:37736
                                                                                              • C:\Windows\explorer.exe
                                                                                                explorer.exe
                                                                                                1⤵
                                                                                                  PID:35092

                                                                                                Network

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-015EE178.[[email protected]].ncov

                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  114281ae54139ce9cb76cdec24e79920

                                                                                                  SHA1

                                                                                                  66b86a84e4c8590ca1f2b740e118087a06b67d0a

                                                                                                  SHA256

                                                                                                  45474c0be610958c842be74d441d3a7dc1b82eac6c99a8938d5447d54d76ee27

                                                                                                  SHA512

                                                                                                  910b730e8cc33b9e7e8936f377f31cd9cdf5e2d7ecadaefb344305cdbb7fff3c8e576beb48d9b8398836678a66e7d7af696825cf88ac74381e6e02b867e87037

                                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8

                                                                                                  Filesize

                                                                                                  5B

                                                                                                  MD5

                                                                                                  5bfa51f3a417b98e7443eca90fc94703

                                                                                                  SHA1

                                                                                                  8c015d80b8a23f780bdd215dc842b0f5551f63bd

                                                                                                  SHA256

                                                                                                  bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

                                                                                                  SHA512

                                                                                                  4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NJRat.exe.log

                                                                                                  Filesize

                                                                                                  319B

                                                                                                  MD5

                                                                                                  da4fafeffe21b7cb3a8c170ca7911976

                                                                                                  SHA1

                                                                                                  50ef77e2451ab60f93f4db88325b897d215be5ad

                                                                                                  SHA256

                                                                                                  7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

                                                                                                  SHA512

                                                                                                  0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                  Filesize

                                                                                                  152B

                                                                                                  MD5

                                                                                                  4dd2754d1bea40445984d65abee82b21

                                                                                                  SHA1

                                                                                                  4b6a5658bae9a784a370a115fbb4a12e92bd3390

                                                                                                  SHA256

                                                                                                  183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

                                                                                                  SHA512

                                                                                                  92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                  Filesize

                                                                                                  152B

                                                                                                  MD5

                                                                                                  ecf7ca53c80b5245e35839009d12f866

                                                                                                  SHA1

                                                                                                  a7af77cf31d410708ebd35a232a80bddfb0615bb

                                                                                                  SHA256

                                                                                                  882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

                                                                                                  SHA512

                                                                                                  706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                  Filesize

                                                                                                  3KB

                                                                                                  MD5

                                                                                                  1813944f1bcf4cc16794a5d3bbbc908b

                                                                                                  SHA1

                                                                                                  41668e8f8f1ba7d6f2e8787d37f3e16a6a202f13

                                                                                                  SHA256

                                                                                                  5efaa906b25c5fe18b09840c8907a7efe7260ff52caa57d42ac54f695a71d2eb

                                                                                                  SHA512

                                                                                                  b057cee403bfbf615877ac8ae563c74249eef04567f7075782af30ad997a4eec998088fb04c208ea6e2136a7e6a382924ccba7caa784c6fcb5f0f27a20b9c964

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                  Filesize

                                                                                                  879B

                                                                                                  MD5

                                                                                                  114c72f78dbf33a1030ab8560d48842f

                                                                                                  SHA1

                                                                                                  6bb415436b663981d91d2572a859cb653af049fc

                                                                                                  SHA256

                                                                                                  a62a540eac7231012b7f9363f0c4e90eeb184ac29009de1c30b3dff52e1872f8

                                                                                                  SHA512

                                                                                                  00b5007b6805199528e7aeeb65b877238498498edc1c7fb61579ad4f67a602cc1753992cfadf5a63f62a053cc53956436109aff56220ba0f5f97497877b2538a

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  7KB

                                                                                                  MD5

                                                                                                  4d26c4c8d218dab6a384b8a99365c317

                                                                                                  SHA1

                                                                                                  9178d71ba723ad8fa15daa15ebcaad4b381ec635

                                                                                                  SHA256

                                                                                                  60d2dee47621cbeb0ae37d6e675798dcd52e928f893fb921e97288e780009c3c

                                                                                                  SHA512

                                                                                                  33a352a0b77ef99a2b8de262b2a2a646ccf72ff9a04d33fb96396c26eafe3683167882073f97b90796e4fdd435c34367c9681783121f4d51413741d1108698c1

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  7KB

                                                                                                  MD5

                                                                                                  fcfa2d6f4837c7441b63f5cbdb1785e0

                                                                                                  SHA1

                                                                                                  65817e2367f849426c906199492d0e0231c7e5cc

                                                                                                  SHA256

                                                                                                  b400a3aeb645ff71a33c9f1dda48311a826daf891467b6aa96740bc2ee487447

                                                                                                  SHA512

                                                                                                  8ccf72e70d275fddc56aa98f1cc826da87fce371f492f780e1d0433d24b8d38b6f0ec308a67862afb3529a66db442105839d35723334471b56fa799f3fc4ed0f

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  6KB

                                                                                                  MD5

                                                                                                  0a8b7f301b36632d4a7c80feb84c188c

                                                                                                  SHA1

                                                                                                  0abd3da9c20552319143c6948c1a65a18c69f90e

                                                                                                  SHA256

                                                                                                  2bd24b6b993ad41ee84a8604e7eeda8ec71d648c39880a7d2de6c47a54ede139

                                                                                                  SHA512

                                                                                                  704dd5c4ba8f27d79b90f089855ff0e1e1d99e8c02b9943f2bcc693d5cca738159e746ed1d97fe1ff601c6a17c2041ab3d8240225d1ed23fc1ffc6e3e0455f2e

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  6KB

                                                                                                  MD5

                                                                                                  e58a2375f4cbf07fb49fb3d79905b5f5

                                                                                                  SHA1

                                                                                                  7c451f35fab88b9b9d7860fb92353e3776a68f30

                                                                                                  SHA256

                                                                                                  9ecd75199523dd873271aa0b7ca1fd8bf0fb5787e5c6a5a0ac4e4b5c3806b747

                                                                                                  SHA512

                                                                                                  e0d6a5902611838850f6b040e2676ddeb67673a18dce4f22f3735fce0118cf9a7db09d398416df87100ce5ed6c657a252167de5fde24722a2452d27a2f7439fc

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  6KB

                                                                                                  MD5

                                                                                                  62985c6db335859b3cd596b127a59ba1

                                                                                                  SHA1

                                                                                                  c6686d220a5d057e01791beb9fb8e3fa9e326a27

                                                                                                  SHA256

                                                                                                  de32f0dfe107323131c06d661100844e4ac5b0619f1d1536f83a6305ab0539cc

                                                                                                  SHA512

                                                                                                  a321c10531e144aba79bb325ec15901891677906463c59623720c77453a0c0fef36b829d92a5840b4b0311d2819e630fb4ed24c5e3b57ade0db1fa9c30567358

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  ed13886c0da5f34edd59ce6beeefa327

                                                                                                  SHA1

                                                                                                  a721e28d830fb59d14442295c669083710b07add

                                                                                                  SHA256

                                                                                                  1b0c009f8641e7b30bcdd5e8776800c974d3b7d8e9f1cb33d68f825b6010943f

                                                                                                  SHA512

                                                                                                  41f04008c63c861644ab80932ba783b12b5ce018927ee6ea7fa99139ab7e7ba1b62e90f5c07c4b5bab7084a788e3f4619892a29ae2003796b3751611c607587e

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  7e089bd5facddaf61685b5b511cbf5e5

                                                                                                  SHA1

                                                                                                  b7b766f0bacaa2924ce3c539d6a408ee9410b769

                                                                                                  SHA256

                                                                                                  d57fe11e8b951dd1380a17415b1f40297efd0cfcc8ad877586ff0db5fc1a4673

                                                                                                  SHA512

                                                                                                  ffe34f45b872cbe3233dd38b54dd83dd2e85fca2d74e061afa1370379082e4e713b7d38593a9fa48d1caba2804b992311eab2b444440f2d8e5043d2d0b2116c1

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  772654d59c3d7f6838acb49de5972a51

                                                                                                  SHA1

                                                                                                  bf4c1c15da9c9d2a2477a72ea6e74f5806f36c19

                                                                                                  SHA256

                                                                                                  00e488c909c9890898c8a0ac3adca4a75315356c04971f8426f225a9846d9c90

                                                                                                  SHA512

                                                                                                  2f168bb5d98b963afefcd9f3945ae74b70f3db4ec1dc083d38c254e4bb95b9b66cec8986969219d05e0967e82fc8918092dd10efc46b22b81c00a0b87e358465

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  df69a47aee7317c914c54ea5b14c0214

                                                                                                  SHA1

                                                                                                  559d165b1e6513b1657cb95659889ad3abc00c5e

                                                                                                  SHA256

                                                                                                  22f76ca64aa5f673cbdbf0531c1898c9c207fe0e41284d3b465ab6f781110da1

                                                                                                  SHA512

                                                                                                  7e6bc14a87152f678998d0406bc3fcaa942daaaf7daa32ef18f044b82d924232053427284ef091873be4147a4667cf1ae4e2baa7ae7920a81dcb00c44031871b

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  8b9a9a40722594f96cbad3ece660660c

                                                                                                  SHA1

                                                                                                  ae73c765a3d3e9ee22069602cd477afdbf69cd80

                                                                                                  SHA256

                                                                                                  a613e55569c3c195b6e187171d17295ae248a4fa0fac0b9d232af17febe65f4f

                                                                                                  SHA512

                                                                                                  02652dda1676028fca4be7eb248718d8f3b09d40282ae79e429a82f5a434b2734546115d64e725622b8116d0527671f641791a3cdca736095845f0aca5101b4c

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  cb89e5debc0f9e46cad507a55df8fc3c

                                                                                                  SHA1

                                                                                                  c91b5390bd8edffccf2c7829e33b80383515fbb6

                                                                                                  SHA256

                                                                                                  011bb46a641c169ed919964686b4b90f9eef4263fe9ca1bb8ef8ec4aa9f0a4d4

                                                                                                  SHA512

                                                                                                  79e5570824705e2c1b0a6b13867f3bbec23822660cfed12d3b73512b66c3de7c5902c711142a6096556cfbaf93705c5653d13226dc6c52cd363414a6f22875ec

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  d7e75a50c1aa5e7852934a9ecc0cda04

                                                                                                  SHA1

                                                                                                  ab7d59de316bb572bce54f535d25a39252795fae

                                                                                                  SHA256

                                                                                                  c916106d27a0cd97243a32d17b1977ce5828b4205cce0959ceb6da0a16fc2dcb

                                                                                                  SHA512

                                                                                                  29ed601d7b40e948ced0a198e20eb98231758aa92ff8fdaa18060f11abe34e015cb068de407b774a46e3316396b17690f99a85e636646ebe98701e685b5e0a96

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  3e2bf5fcbd16b4245b89fef3771cce88

                                                                                                  SHA1

                                                                                                  9072083b0a0bbce9c3bde0f6ae13941da3cb647a

                                                                                                  SHA256

                                                                                                  2cd227bab9d7fb39230a82391bceb83986480c5fad7d89a3480c3b22229fd561

                                                                                                  SHA512

                                                                                                  24514c38339a36e0e3c0927edff2d6224685e86ce843c1be06c6dd50598ab87bb675522dfbd5f5156a97d1aec3774081d8beac5cc00b9a4edb935db47d0e44c6

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  69dbfdb0a366de4596b177b64f741e08

                                                                                                  SHA1

                                                                                                  0752cffdea8da419b2574871dc46fb7175d2943d

                                                                                                  SHA256

                                                                                                  5cab66580cd3125f7834ce757d445859c06ce6600a04266c5f073fd89d98fd76

                                                                                                  SHA512

                                                                                                  7a5598fb0fe09933b680c9ff107e28282d6dbfc2c352ec2f4c278e51c401273f555b6125facb8a1335c1fef936e3c349942e8d988631bd876ec48da910c195eb

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5866f2.TMP

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  54c24f42252fa6e31411cebe928059ce

                                                                                                  SHA1

                                                                                                  a821179aee53ca51a794ba98919da6d64ef232fb

                                                                                                  SHA256

                                                                                                  53083c06d4f433c553b87f04dd1c436e55656ec14b817db0896518b36039f3f6

                                                                                                  SHA512

                                                                                                  de756e0d4515348413a4958187ab001d554383189cb27e96955ad0d1a4c482081ef3d4e90a3a1e71728f83675baf2577d8b83b4aa22fc248616c97ec97da7ede

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d00ed.TMP

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  2bc987987351668ef002fe1ab7d344b6

                                                                                                  SHA1

                                                                                                  00b1f8342c4055a10d6cdd1b4456dd65e17c1c96

                                                                                                  SHA256

                                                                                                  783e21a2235ba2a9e9a25197573ee22f3751acc6348bcead17b10f0da35d351f

                                                                                                  SHA512

                                                                                                  d0d65454f679d5c5ec7bfde2526c2171bcbb7745f50eb59b7d7b1df5e1d3e3a2d2a5a2fe3e0ec598a737ed3f5c235267f6616c79bbbc4adeb17aa173d320d5da

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                  Filesize

                                                                                                  16B

                                                                                                  MD5

                                                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                                                  SHA1

                                                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                  SHA256

                                                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                  SHA512

                                                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  12KB

                                                                                                  MD5

                                                                                                  0153c8ef7d73ae9afb9b36fde4f0f5ce

                                                                                                  SHA1

                                                                                                  c9ad243a8b8763b0435e5c9ada12cd6b5a3e1d88

                                                                                                  SHA256

                                                                                                  74a2183974ca6a507f7b6565a9e511ff5bb8715e85d0eaad991a4c8a30c973f9

                                                                                                  SHA512

                                                                                                  5e0348b6fcaefeb48c109aa70d47b20aa54dec4bd280e720dbd70d7f4fc072e38fc4c9b0975baddb006767bd1c92cf578725b60fe8240d5ef38eb7a8b960354e

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  12KB

                                                                                                  MD5

                                                                                                  b08199362112a2e08f20b0d097179c65

                                                                                                  SHA1

                                                                                                  3d73e42dd093ea4d372a03c598fa72c6d97986b1

                                                                                                  SHA256

                                                                                                  e3256ee772fa7166acb51366131140ad80de0e8a5f11554cc1af5d3fa604f778

                                                                                                  SHA512

                                                                                                  8cf551a44f37fb557b19d79516b6442038916da81b390d8d1e36963052928a0dac1a9ace264edbe24c8d2b4da0b3c5c811f800e48d6997349b806937a47cb90b

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  11KB

                                                                                                  MD5

                                                                                                  d017f941d085a8d2be5987ee6341fcf7

                                                                                                  SHA1

                                                                                                  8d7042bcd3b4d2dc7bb85cb11fa072bbd4758541

                                                                                                  SHA256

                                                                                                  27fbd5ee7e881b6b9b32e22b5c9a281c9bbcd71bbd47e4c89e7a5b6cd90b3ec4

                                                                                                  SHA512

                                                                                                  34250c162b516d2d6d2c25d243b3fde338b52a9a96eda8b07cff7b67c7e8ad138d69ae52d6916b179d9a939c413b62d1eb227dad1d67bcac0ff7c493111e2d6a

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  12KB

                                                                                                  MD5

                                                                                                  5d3f51d59086775be845f58bd1e6d545

                                                                                                  SHA1

                                                                                                  d1782aa04cf0be4ac743c8f7422d19bed937bb0f

                                                                                                  SHA256

                                                                                                  9584f4f5c1daed764631f556cba98d02e01dc7becad7432b2104a6008cf0a690

                                                                                                  SHA512

                                                                                                  134098ff7434626826e3a34c729f0c164769b2f1ef586704c43c13fcbb3b4d89cd4425379e684fe9bbcf22a0f194f12b7be4fd0017b48db9617e2380dd9ec488

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  11KB

                                                                                                  MD5

                                                                                                  4be839881484a37315f46a79ff3426d8

                                                                                                  SHA1

                                                                                                  cd61c6292e7876dbce81e148ae3af4fdb536d01b

                                                                                                  SHA256

                                                                                                  5256cbcde97cc2e8f5feff2f9ca0c999661da21c2433971cebd098eac7bb3a8b

                                                                                                  SHA512

                                                                                                  aa1477fde7184e633c7bcdf650e61b0ec914d934020f74fd6ed948b0ca3dd6c6a3b6cd29974dae713354f236cb3732b6daf4dbe0184c6093bb8043888c9bd012

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  12KB

                                                                                                  MD5

                                                                                                  ce9fc566995b39b1c1b17ae410dc984e

                                                                                                  SHA1

                                                                                                  0c8fe103545b7816b800c9ba2dc398b25c67d50c

                                                                                                  SHA256

                                                                                                  aab3457b952d1ace2571beb20f454700c4d79b39fadb112a7c676cd71e1eb11a

                                                                                                  SHA512

                                                                                                  6c664f10687e600fa7df321b6abdc97be75661f2028b6f6b84fbdc6832236c95f67cd801a3fc45882be43b2cd0dd8ee70253b545d0c0114ddc7ac2e789a841ae

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  12KB

                                                                                                  MD5

                                                                                                  5dd539aeae4465bb9e2e4ba7e49a7c4a

                                                                                                  SHA1

                                                                                                  ca712a81c53f112d760806740aad1c4714d941ce

                                                                                                  SHA256

                                                                                                  d0b0d31bb9d133c020fda9c1e2e90f9936703466e011b3577e2c92689127d79d

                                                                                                  SHA512

                                                                                                  56679b3da1da4612faa50f6945e8c5ec30793204c067c97da180d38bf81ad4ec2a1934a4aa1e0bb169ad4ce1ee78de10e6052767a6c258cace04eb33b795de70

                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  9aea097d8be9216531aeca7d6aa0fb33

                                                                                                  SHA1

                                                                                                  c53e093d278bbddd3c5ef1f1bc0051306bcd20e0

                                                                                                  SHA256

                                                                                                  2390ebc033637f4f9eeccb39ac54bc493e0826130d8e0dd8397010a48ba347bb

                                                                                                  SHA512

                                                                                                  498ef0c812e493741f3f904c952d4a64eb0916eb0b710a088b73e465e502f5af67d06005aec2ba91cefb27d177591ed0880eba7b54be5b813275ab15005166ba

                                                                                                • C:\Users\Admin\DOWNLO~1\DanaBot.dll

                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                  MD5

                                                                                                  7e76f7a5c55a5bc5f5e2d7a9e886782b

                                                                                                  SHA1

                                                                                                  fc500153dba682e53776bef53123086f00c0e041

                                                                                                  SHA256

                                                                                                  abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

                                                                                                  SHA512

                                                                                                  0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 21252.crdownload

                                                                                                  Filesize

                                                                                                  431KB

                                                                                                  MD5

                                                                                                  fbbdc39af1139aebba4da004475e8839

                                                                                                  SHA1

                                                                                                  de5c8d858e6e41da715dca1c019df0bfb92d32c0

                                                                                                  SHA256

                                                                                                  630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

                                                                                                  SHA512

                                                                                                  74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 263777.crdownload

                                                                                                  Filesize

                                                                                                  31KB

                                                                                                  MD5

                                                                                                  29a37b6532a7acefa7580b826f23f6dd

                                                                                                  SHA1

                                                                                                  a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

                                                                                                  SHA256

                                                                                                  7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

                                                                                                  SHA512

                                                                                                  a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 463846.crdownload

                                                                                                  Filesize

                                                                                                  2.7MB

                                                                                                  MD5

                                                                                                  48d8f7bbb500af66baa765279ce58045

                                                                                                  SHA1

                                                                                                  2cdb5fdeee4e9c7bd2e5f744150521963487eb71

                                                                                                  SHA256

                                                                                                  db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

                                                                                                  SHA512

                                                                                                  aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 731226.crdownload

                                                                                                  Filesize

                                                                                                  484KB

                                                                                                  MD5

                                                                                                  0a7b70efba0aa93d4bc0857b87ac2fcb

                                                                                                  SHA1

                                                                                                  01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

                                                                                                  SHA256

                                                                                                  4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

                                                                                                  SHA512

                                                                                                  2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 807316.crdownload

                                                                                                  Filesize

                                                                                                  414KB

                                                                                                  MD5

                                                                                                  c850f942ccf6e45230169cc4bd9eb5c8

                                                                                                  SHA1

                                                                                                  51c647e2b150e781bd1910cac4061a2cee1daf89

                                                                                                  SHA256

                                                                                                  86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

                                                                                                  SHA512

                                                                                                  2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 834974.crdownload

                                                                                                  Filesize

                                                                                                  1.0MB

                                                                                                  MD5

                                                                                                  055d1462f66a350d9886542d4d79bc2b

                                                                                                  SHA1

                                                                                                  f1086d2f667d807dbb1aa362a7a809ea119f2565

                                                                                                  SHA256

                                                                                                  dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

                                                                                                  SHA512

                                                                                                  2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 834974.crdownload:SmartScreen

                                                                                                  Filesize

                                                                                                  7B

                                                                                                  MD5

                                                                                                  4047530ecbc0170039e76fe1657bdb01

                                                                                                  SHA1

                                                                                                  32db7d5e662ebccdd1d71de285f907e3a1c68ac5

                                                                                                  SHA256

                                                                                                  82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

                                                                                                  SHA512

                                                                                                  8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

                                                                                                • C:\Users\Admin\Downloads\Unconfirmed 895779.crdownload

                                                                                                  Filesize

                                                                                                  1.2MB

                                                                                                  MD5

                                                                                                  7621f79a7f66c25ad6c636d5248abeb9

                                                                                                  SHA1

                                                                                                  98304e41f82c3aee82213a286abdee9abf79bcce

                                                                                                  SHA256

                                                                                                  086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

                                                                                                  SHA512

                                                                                                  59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

                                                                                                • C:\Users\Public\Natso.bat

                                                                                                  Filesize

                                                                                                  283B

                                                                                                  MD5

                                                                                                  5cc1682955fd9f5800a8f1530c9a4334

                                                                                                  SHA1

                                                                                                  e09b6a4d729f2f4760ee42520ec30c3192c85548

                                                                                                  SHA256

                                                                                                  5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3

                                                                                                  SHA512

                                                                                                  80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

                                                                                                • memory/1812-605-0x00000000006B0000-0x00000000006B1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1812-604-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2072-465-0x0000000000400000-0x000000000066B000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/2072-444-0x0000000000400000-0x000000000066B000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/2092-2662-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.4MB

                                                                                                • memory/2092-28562-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.4MB

                                                                                                • memory/2576-10-0x0000000002200000-0x0000000002230000-memory.dmp

                                                                                                  Filesize

                                                                                                  192KB

                                                                                                • memory/2576-17-0x00000000005D0000-0x00000000006D0000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4400-8-0x0000000000540000-0x0000000000640000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4400-1-0x0000000002120000-0x0000000002150000-memory.dmp

                                                                                                  Filesize

                                                                                                  192KB

                                                                                                • memory/4400-113-0x0000000000540000-0x0000000000640000-memory.dmp

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                • memory/4964-603-0x0000000010410000-0x000000001047E000-memory.dmp

                                                                                                  Filesize

                                                                                                  440KB

                                                                                                • memory/5264-424-0x00000000020C0000-0x000000000232B000-memory.dmp

                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/5332-4337-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.4MB

                                                                                                • memory/5332-2664-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.4MB

                                                                                                • memory/6056-426-0x0000000000400000-0x0000000000AAD000-memory.dmp

                                                                                                  Filesize

                                                                                                  6.7MB

                                                                                                • memory/30476-28521-0x0000000000790000-0x00000000007FE000-memory.dmp

                                                                                                  Filesize

                                                                                                  440KB

                                                                                                • memory/36620-28085-0x0000000005A40000-0x0000000005A4A000-memory.dmp

                                                                                                  Filesize

                                                                                                  40KB

                                                                                                • memory/36620-28086-0x0000000005CD0000-0x0000000005D26000-memory.dmp

                                                                                                  Filesize

                                                                                                  344KB

                                                                                                • memory/36620-28084-0x0000000005AE0000-0x0000000005B72000-memory.dmp

                                                                                                  Filesize

                                                                                                  584KB

                                                                                                • memory/36620-28083-0x0000000005FF0000-0x0000000006594000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.6MB

                                                                                                • memory/36620-28082-0x00000000059A0000-0x0000000005A3C000-memory.dmp

                                                                                                  Filesize

                                                                                                  624KB

                                                                                                • memory/36620-28081-0x0000000000F20000-0x0000000000FA2000-memory.dmp

                                                                                                  Filesize

                                                                                                  520KB