Resubmissions
01-11-2024 12:33
241101-pradyaypdv 1027-10-2024 23:08
241027-24hmasskhj 1020-10-2024 16:28
241020-tyzdvsxgqb 320-10-2024 16:26
241020-tx2gtszekk 302-10-2024 11:53
241002-n2j6fsycqb 313-09-2024 04:59
240913-fmwxpswcpb 311-09-2024 15:54
240911-tcmg6sygmm 311-09-2024 15:53
240911-tbsmsszbnh 1025-08-2024 22:53
240825-2t6als1gll 10Analysis
-
max time kernel
477s -
max time network
483s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 22:59
Static task
static1
Behavioral task
behavioral1
Sample
dl2.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dl2.exe
Resource
win10v2004-20240802-en
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
description flow ioc Process 244 zirabuo.bazar Process not Found 264 zirabuo.bazar Process not Found 213 zirabuo.bazar Process not Found 228 zirabuo.bazar Process not Found 236 zirabuo.bazar Process not Found 253 zirabuo.bazar Process not Found 259 zirabuo.bazar Process not Found 260 zirabuo.bazar Process not Found 193 zirabuo.bazar Process not Found 222 zirabuo.bazar Process not Found 216 zirabuo.bazar Process not Found 223 zirabuo.bazar Process not Found 234 zirabuo.bazar Process not Found 238 zirabuo.bazar Process not Found 240 zirabuo.bazar Process not Found 242 zirabuo.bazar Process not Found 205 zirabuo.bazar Process not Found 208 zirabuo.bazar Process not Found 246 zirabuo.bazar Process not Found 261 zirabuo.bazar Process not Found 239 zirabuo.bazar Process not Found 265 zirabuo.bazar Process not Found 220 zirabuo.bazar Process not Found 247 zirabuo.bazar Process not Found Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe 212 zirabuo.bazar Process not Found 263 zirabuo.bazar Process not Found 225 zirabuo.bazar Process not Found 235 zirabuo.bazar Process not Found 200 zirabuo.bazar Process not Found 224 zirabuo.bazar Process not Found 232 zirabuo.bazar Process not Found 262 zirabuo.bazar Process not Found 217 zirabuo.bazar Process not Found 227 zirabuo.bazar Process not Found 233 zirabuo.bazar Process not Found 249 zirabuo.bazar Process not Found 190 zirabuo.bazar Process not Found 218 zirabuo.bazar Process not Found 214 zirabuo.bazar Process not Found 219 zirabuo.bazar Process not Found 251 zirabuo.bazar Process not Found 266 zirabuo.bazar Process not Found 192 zirabuo.bazar Process not Found 204 zirabuo.bazar Process not Found 229 zirabuo.bazar Process not Found 243 zirabuo.bazar Process not Found 250 zirabuo.bazar Process not Found 252 zirabuo.bazar Process not Found 257 zirabuo.bazar Process not Found 191 zirabuo.bazar Process not Found 207 zirabuo.bazar Process not Found 230 zirabuo.bazar Process not Found 245 zirabuo.bazar Process not Found 248 zirabuo.bazar Process not Found 255 zirabuo.bazar Process not Found 258 zirabuo.bazar Process not Found 201 zirabuo.bazar Process not Found 211 zirabuo.bazar Process not Found 256 zirabuo.bazar Process not Found 196 zirabuo.bazar Process not Found 210 zirabuo.bazar Process not Found 215 zirabuo.bazar Process not Found 226 zirabuo.bazar Process not Found -
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral2/files/0x00080000000235e7-421.dat family_danabot -
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ModiLoader First Stage 2 IoCs
resource yara_rule behavioral2/files/0x000f0000000234e7-577.dat modiloader_stage1 behavioral2/memory/4964-603-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 -
Renames multiple (526) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 10 IoCs
flow pid Process 121 2072 rundll32.exe 133 2072 rundll32.exe 150 2072 rundll32.exe 154 2072 rundll32.exe 159 2072 rundll32.exe 165 2072 rundll32.exe 173 2072 rundll32.exe 187 2072 rundll32.exe 341 2072 rundll32.exe 507 2072 rundll32.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5644 netsh.exe -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 251 zirabuo.bazar 262 zirabuo.bazar 223 zirabuo.bazar 232 zirabuo.bazar 247 zirabuo.bazar 254 zirabuo.bazar 234 zirabuo.bazar 240 zirabuo.bazar 264 zirabuo.bazar 266 zirabuo.bazar 216 zirabuo.bazar 221 zirabuo.bazar 229 zirabuo.bazar 242 zirabuo.bazar 209 zirabuo.bazar 227 zirabuo.bazar 230 zirabuo.bazar 259 zirabuo.bazar 196 zirabuo.bazar 204 zirabuo.bazar 217 zirabuo.bazar 260 zirabuo.bazar 191 zirabuo.bazar 212 zirabuo.bazar 218 zirabuo.bazar 222 zirabuo.bazar 239 zirabuo.bazar 243 zirabuo.bazar 246 zirabuo.bazar 253 zirabuo.bazar 190 zirabuo.bazar 210 zirabuo.bazar 228 zirabuo.bazar 233 zirabuo.bazar 256 zirabuo.bazar 201 zirabuo.bazar 214 zirabuo.bazar 200 zirabuo.bazar 226 zirabuo.bazar 244 zirabuo.bazar 265 zirabuo.bazar 215 zirabuo.bazar 236 zirabuo.bazar 258 zirabuo.bazar 263 zirabuo.bazar 205 zirabuo.bazar 211 zirabuo.bazar 237 zirabuo.bazar 238 zirabuo.bazar 241 zirabuo.bazar 257 zirabuo.bazar 192 zirabuo.bazar 220 zirabuo.bazar 248 zirabuo.bazar 252 zirabuo.bazar 206 zirabuo.bazar 213 zirabuo.bazar 245 zirabuo.bazar 255 zirabuo.bazar 193 zirabuo.bazar 224 zirabuo.bazar 225 zirabuo.bazar 231 zirabuo.bazar 235 zirabuo.bazar -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation CoronaVirus.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation msedge.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 11 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe DeriaLock.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe DeriaLock.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe -
Executes dropped EXE 33 IoCs
pid Process 6056 DanaBot.exe 4848 NJRat.exe 2544 NJRat.exe 6060 NJRat.exe 5276 NJRat.exe 2192 NJRat.exe 5376 NJRat.exe 4964 NetWire.exe 1704 NetWire.exe 4380 NetWire.exe 2092 CoronaVirus.exe 5332 CoronaVirus.exe 39040 fodhelper.exe 37184 msedge.exe 37116 msedge.exe 19224 msedge.exe 36620 DeriaLock.exe 36524 DeriaLock.exe 33976 msedge.exe 34096 msedge.exe 33208 msedge.exe 32984 BadRabbit.exe 32844 BadRabbit.exe 32372 4479.tmp 31752 BadRabbit.exe 31608 BadRabbit.exe 31160 msedge.exe 31108 msedge.exe 30672 msedge.exe 30476 $uckyLocker.exe 30356 $uckyLocker.exe 30072 msedge.exe 30020 msedge.exe -
Loads dropped DLL 20 IoCs
pid Process 5264 regsvr32.exe 5264 regsvr32.exe 2072 rundll32.exe 1812 NetWire.exe 39040 fodhelper.exe 37116 msedge.exe 37184 msedge.exe 19224 msedge.exe 33976 msedge.exe 34096 msedge.exe 33208 msedge.exe 32804 rundll32.exe 32592 rundll32.exe 31568 rundll32.exe 31432 rundll32.exe 31108 msedge.exe 31160 msedge.exe 30672 msedge.exe 30072 msedge.exe 30020 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 66.70.211.246 Destination IP 167.99.153.82 Destination IP 46.101.70.183 Destination IP 31.171.251.118 Destination IP 130.255.78.223 Destination IP 45.71.112.70 Destination IP 128.52.130.209 Destination IP 5.132.191.104 Destination IP 77.73.68.161 Destination IP 69.164.196.21 Destination IP 46.28.207.199 Destination IP 185.117.154.144 Destination IP 91.217.137.37 Destination IP 188.165.200.156 Destination IP 50.3.82.215 Destination IP 192.52.166.110 Destination IP 162.248.241.94 Destination IP 163.53.248.170 Destination IP 5.132.191.104 Destination IP 31.171.251.118 Destination IP 139.99.96.146 Destination IP 169.239.202.202 Destination IP 82.196.9.45 Destination IP 212.24.98.54 Destination IP 45.63.124.65 Destination IP 130.255.78.223 Destination IP 89.35.39.64 Destination IP 91.217.137.37 Destination IP 193.183.98.66 Destination IP 139.59.208.246 Destination IP 198.251.90.143 Destination IP 167.99.153.82 Destination IP 144.76.133.38 Destination IP 178.17.170.179 Destination IP 158.69.160.164 Destination IP 159.89.249.249 Destination IP 87.98.175.85 Destination IP 172.98.193.42 Destination IP 46.101.70.183 Destination IP 192.99.85.244 Destination IP 45.71.112.70 Destination IP 128.52.130.209 Destination IP 104.238.186.189 Destination IP 158.69.239.167 Destination IP 139.59.208.246 Destination IP 69.164.196.21 Destination IP 69.164.196.21 Destination IP 91.217.137.37 Destination IP 139.59.208.246 Destination IP 82.141.39.32 Destination IP 158.69.160.164 Destination IP 94.177.171.127 Destination IP 217.12.210.54 Destination IP 63.231.92.27 Destination IP 192.99.85.244 Destination IP 46.101.70.183 Destination IP 217.12.210.54 Destination IP 81.2.241.148 Destination IP 45.63.124.65 Destination IP 192.52.166.110 Destination IP 35.196.105.24 Destination IP 94.177.171.127 Destination IP 142.4.204.111 Destination IP 142.4.205.47 -
Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs
UAC Bypass Attempt via SilentCleanup Task.
pid Process 8508 schtasks.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta" NetWire.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 179 drive.google.com 113 raw.githubusercontent.com 114 raw.githubusercontent.com 178 drive.google.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1812 set thread context of 7712 1812 NetWire.exe 183 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-125.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-400.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-high.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-cn_get.svg.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msix.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxSignature.p7x CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1 CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\ui-strings.js.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-400.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_rich_capture.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.id-015EE178.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\ug.txt.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.id-015EE178.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png CoronaVirus.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\4479.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2240 6056 WerFault.exe 135 5408 4380 WerFault.exe 173 -
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $uckyLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeriaLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DanaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeriaLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $uckyLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 27860 vssadmin.exe 39164 vssadmin.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{8AD672B1-5206-45E0-BF8A-B9F6EE054164} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 8464 reg.exe 8588 reg.exe 8080 reg.exe -
NTFS ADS 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 895779.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 834974.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 731226.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 21252.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 807316.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 463846.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 263777.crdownload:SmartScreen msedge.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 179 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 181 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3396 msedge.exe 3396 msedge.exe 1020 msedge.exe 1020 msedge.exe 3856 identity_helper.exe 3856 identity_helper.exe 5776 msedge.exe 5776 msedge.exe 3860 msedge.exe 3860 msedge.exe 5892 msedge.exe 5892 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 2544 NJRat.exe 4848 NJRat.exe 2544 NJRat.exe 4848 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 2544 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe 4848 NJRat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2544 NJRat.exe Token: SeDebugPrivilege 4848 NJRat.exe Token: SeDebugPrivilege 6060 NJRat.exe Token: SeDebugPrivilege 5276 NJRat.exe Token: SeDebugPrivilege 2192 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: SeDebugPrivilege 5376 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: SeBackupPrivilege 39988 vssvc.exe Token: SeRestorePrivilege 39988 vssvc.exe Token: SeAuditPrivilege 39988 vssvc.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: SeDebugPrivilege 36620 DeriaLock.exe Token: SeDebugPrivilege 36524 DeriaLock.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe Token: SeIncBasePriorityPrivilege 4848 NJRat.exe Token: 33 4848 NJRat.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4400 dl2.exe 2576 dl2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1020 wrote to memory of 648 1020 msedge.exe 99 PID 1020 wrote to memory of 648 1020 msedge.exe 99 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 1244 1020 msedge.exe 100 PID 1020 wrote to memory of 3396 1020 msedge.exe 101 PID 1020 wrote to memory of 3396 1020 msedge.exe 101 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 PID 1020 wrote to memory of 1444 1020 msedge.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:4400
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {87911C0D-E644-4A0D-9804-AC9ACAB7CF2E}1⤵
- Suspicious use of SetWindowsHookEx
PID:2576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- BazarBackdoor
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa3a1e46f8,0x7ffa3a1e4708,0x7ffa3a1e47182⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5772 /prefetch:82⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:12⤵PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5492 /prefetch:82⤵PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:12⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:82⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4048 /prefetch:82⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3720 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5644
-
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6060
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5276
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6484 /prefetch:82⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵PID:5836
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Notepad.exeC:\Windows\System32\Notepad.exe4⤵
- System Location Discovery: System Language Discovery
PID:7032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:7220 -
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:8080
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "6⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:8464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I6⤵
- Abuse Elevation Control Mechanism: Bypass User Account Control
- System Location Discovery: System Language Discovery
PID:8508
-
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:8588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:27308 -
C:\Windows \System32\fodhelper.exe"C:\Windows \System32\fodhelper.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:39040
-
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵PID:7712
-
-
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 2404⤵
- Program crash
PID:5408
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵PID:8828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2024 /prefetch:82⤵PID:8940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:82⤵PID:8784
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:7640
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:36544
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:27860
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:39920
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:39236
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:39164
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:39732
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:39704
-
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:37184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2220 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:37116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:19224
-
-
C:\Users\Admin\Downloads\DeriaLock.exe"C:\Users\Admin\Downloads\DeriaLock.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:36620
-
-
C:\Users\Admin\Downloads\DeriaLock.exe"C:\Users\Admin\Downloads\DeriaLock.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:36524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:34096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:33976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:33208
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32984 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32804 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵PID:32672
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2836839790 && exit"4⤵PID:32488
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:24:004⤵PID:32440
-
-
C:\Windows\4479.tmp"C:\Windows\4479.tmp" \\.\pipe\{6366A00B-1511-456F-A1E6-A3ECF266E7E8}4⤵
- Executes dropped EXE
PID:32372
-
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32844 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:32592
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31752 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31568
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31608 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:31432
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:31160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1388 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:31108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:30672
-
-
C:\Users\Admin\Downloads\$uckyLocker.exe"C:\Users\Admin\Downloads\$uckyLocker.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:30476
-
-
C:\Users\Admin\Downloads\$uckyLocker.exe"C:\Users\Admin\Downloads\$uckyLocker.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:30356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:30072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9596099583403137565,15962314581287290760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:30020
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1044
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5592
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6056 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@60562⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 4642⤵
- Program crash
PID:2240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6056 -ip 60561⤵PID:5420
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 43801⤵PID:3008
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x33c1⤵PID:6528
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:39988
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\a2319400183a4c129bafc9934aea2b16 /t 39724 /p 397321⤵PID:37968
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\05d8d50b2259442cb4cc88cc4fe124ff /t 39696 /p 397041⤵PID:37736
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:35092
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-015EE178.[[email protected]].ncov
Filesize2.7MB
MD5114281ae54139ce9cb76cdec24e79920
SHA166b86a84e4c8590ca1f2b740e118087a06b67d0a
SHA25645474c0be610958c842be74d441d3a7dc1b82eac6c99a8938d5447d54d76ee27
SHA512910b730e8cc33b9e7e8936f377f31cd9cdf5e2d7ecadaefb344305cdbb7fff3c8e576beb48d9b8398836678a66e7d7af696825cf88ac74381e6e02b867e87037
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
319B
MD5da4fafeffe21b7cb3a8c170ca7911976
SHA150ef77e2451ab60f93f4db88325b897d215be5ad
SHA2567341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA5120bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD51813944f1bcf4cc16794a5d3bbbc908b
SHA141668e8f8f1ba7d6f2e8787d37f3e16a6a202f13
SHA2565efaa906b25c5fe18b09840c8907a7efe7260ff52caa57d42ac54f695a71d2eb
SHA512b057cee403bfbf615877ac8ae563c74249eef04567f7075782af30ad997a4eec998088fb04c208ea6e2136a7e6a382924ccba7caa784c6fcb5f0f27a20b9c964
-
Filesize
879B
MD5114c72f78dbf33a1030ab8560d48842f
SHA16bb415436b663981d91d2572a859cb653af049fc
SHA256a62a540eac7231012b7f9363f0c4e90eeb184ac29009de1c30b3dff52e1872f8
SHA51200b5007b6805199528e7aeeb65b877238498498edc1c7fb61579ad4f67a602cc1753992cfadf5a63f62a053cc53956436109aff56220ba0f5f97497877b2538a
-
Filesize
7KB
MD54d26c4c8d218dab6a384b8a99365c317
SHA19178d71ba723ad8fa15daa15ebcaad4b381ec635
SHA25660d2dee47621cbeb0ae37d6e675798dcd52e928f893fb921e97288e780009c3c
SHA51233a352a0b77ef99a2b8de262b2a2a646ccf72ff9a04d33fb96396c26eafe3683167882073f97b90796e4fdd435c34367c9681783121f4d51413741d1108698c1
-
Filesize
7KB
MD5fcfa2d6f4837c7441b63f5cbdb1785e0
SHA165817e2367f849426c906199492d0e0231c7e5cc
SHA256b400a3aeb645ff71a33c9f1dda48311a826daf891467b6aa96740bc2ee487447
SHA5128ccf72e70d275fddc56aa98f1cc826da87fce371f492f780e1d0433d24b8d38b6f0ec308a67862afb3529a66db442105839d35723334471b56fa799f3fc4ed0f
-
Filesize
6KB
MD50a8b7f301b36632d4a7c80feb84c188c
SHA10abd3da9c20552319143c6948c1a65a18c69f90e
SHA2562bd24b6b993ad41ee84a8604e7eeda8ec71d648c39880a7d2de6c47a54ede139
SHA512704dd5c4ba8f27d79b90f089855ff0e1e1d99e8c02b9943f2bcc693d5cca738159e746ed1d97fe1ff601c6a17c2041ab3d8240225d1ed23fc1ffc6e3e0455f2e
-
Filesize
6KB
MD5e58a2375f4cbf07fb49fb3d79905b5f5
SHA17c451f35fab88b9b9d7860fb92353e3776a68f30
SHA2569ecd75199523dd873271aa0b7ca1fd8bf0fb5787e5c6a5a0ac4e4b5c3806b747
SHA512e0d6a5902611838850f6b040e2676ddeb67673a18dce4f22f3735fce0118cf9a7db09d398416df87100ce5ed6c657a252167de5fde24722a2452d27a2f7439fc
-
Filesize
6KB
MD562985c6db335859b3cd596b127a59ba1
SHA1c6686d220a5d057e01791beb9fb8e3fa9e326a27
SHA256de32f0dfe107323131c06d661100844e4ac5b0619f1d1536f83a6305ab0539cc
SHA512a321c10531e144aba79bb325ec15901891677906463c59623720c77453a0c0fef36b829d92a5840b4b0311d2819e630fb4ed24c5e3b57ade0db1fa9c30567358
-
Filesize
1KB
MD5ed13886c0da5f34edd59ce6beeefa327
SHA1a721e28d830fb59d14442295c669083710b07add
SHA2561b0c009f8641e7b30bcdd5e8776800c974d3b7d8e9f1cb33d68f825b6010943f
SHA51241f04008c63c861644ab80932ba783b12b5ce018927ee6ea7fa99139ab7e7ba1b62e90f5c07c4b5bab7084a788e3f4619892a29ae2003796b3751611c607587e
-
Filesize
1KB
MD57e089bd5facddaf61685b5b511cbf5e5
SHA1b7b766f0bacaa2924ce3c539d6a408ee9410b769
SHA256d57fe11e8b951dd1380a17415b1f40297efd0cfcc8ad877586ff0db5fc1a4673
SHA512ffe34f45b872cbe3233dd38b54dd83dd2e85fca2d74e061afa1370379082e4e713b7d38593a9fa48d1caba2804b992311eab2b444440f2d8e5043d2d0b2116c1
-
Filesize
1KB
MD5772654d59c3d7f6838acb49de5972a51
SHA1bf4c1c15da9c9d2a2477a72ea6e74f5806f36c19
SHA25600e488c909c9890898c8a0ac3adca4a75315356c04971f8426f225a9846d9c90
SHA5122f168bb5d98b963afefcd9f3945ae74b70f3db4ec1dc083d38c254e4bb95b9b66cec8986969219d05e0967e82fc8918092dd10efc46b22b81c00a0b87e358465
-
Filesize
1KB
MD5df69a47aee7317c914c54ea5b14c0214
SHA1559d165b1e6513b1657cb95659889ad3abc00c5e
SHA25622f76ca64aa5f673cbdbf0531c1898c9c207fe0e41284d3b465ab6f781110da1
SHA5127e6bc14a87152f678998d0406bc3fcaa942daaaf7daa32ef18f044b82d924232053427284ef091873be4147a4667cf1ae4e2baa7ae7920a81dcb00c44031871b
-
Filesize
1KB
MD58b9a9a40722594f96cbad3ece660660c
SHA1ae73c765a3d3e9ee22069602cd477afdbf69cd80
SHA256a613e55569c3c195b6e187171d17295ae248a4fa0fac0b9d232af17febe65f4f
SHA51202652dda1676028fca4be7eb248718d8f3b09d40282ae79e429a82f5a434b2734546115d64e725622b8116d0527671f641791a3cdca736095845f0aca5101b4c
-
Filesize
1KB
MD5cb89e5debc0f9e46cad507a55df8fc3c
SHA1c91b5390bd8edffccf2c7829e33b80383515fbb6
SHA256011bb46a641c169ed919964686b4b90f9eef4263fe9ca1bb8ef8ec4aa9f0a4d4
SHA51279e5570824705e2c1b0a6b13867f3bbec23822660cfed12d3b73512b66c3de7c5902c711142a6096556cfbaf93705c5653d13226dc6c52cd363414a6f22875ec
-
Filesize
1KB
MD5d7e75a50c1aa5e7852934a9ecc0cda04
SHA1ab7d59de316bb572bce54f535d25a39252795fae
SHA256c916106d27a0cd97243a32d17b1977ce5828b4205cce0959ceb6da0a16fc2dcb
SHA51229ed601d7b40e948ced0a198e20eb98231758aa92ff8fdaa18060f11abe34e015cb068de407b774a46e3316396b17690f99a85e636646ebe98701e685b5e0a96
-
Filesize
1KB
MD53e2bf5fcbd16b4245b89fef3771cce88
SHA19072083b0a0bbce9c3bde0f6ae13941da3cb647a
SHA2562cd227bab9d7fb39230a82391bceb83986480c5fad7d89a3480c3b22229fd561
SHA51224514c38339a36e0e3c0927edff2d6224685e86ce843c1be06c6dd50598ab87bb675522dfbd5f5156a97d1aec3774081d8beac5cc00b9a4edb935db47d0e44c6
-
Filesize
1KB
MD569dbfdb0a366de4596b177b64f741e08
SHA10752cffdea8da419b2574871dc46fb7175d2943d
SHA2565cab66580cd3125f7834ce757d445859c06ce6600a04266c5f073fd89d98fd76
SHA5127a5598fb0fe09933b680c9ff107e28282d6dbfc2c352ec2f4c278e51c401273f555b6125facb8a1335c1fef936e3c349942e8d988631bd876ec48da910c195eb
-
Filesize
1KB
MD554c24f42252fa6e31411cebe928059ce
SHA1a821179aee53ca51a794ba98919da6d64ef232fb
SHA25653083c06d4f433c553b87f04dd1c436e55656ec14b817db0896518b36039f3f6
SHA512de756e0d4515348413a4958187ab001d554383189cb27e96955ad0d1a4c482081ef3d4e90a3a1e71728f83675baf2577d8b83b4aa22fc248616c97ec97da7ede
-
Filesize
1KB
MD52bc987987351668ef002fe1ab7d344b6
SHA100b1f8342c4055a10d6cdd1b4456dd65e17c1c96
SHA256783e21a2235ba2a9e9a25197573ee22f3751acc6348bcead17b10f0da35d351f
SHA512d0d65454f679d5c5ec7bfde2526c2171bcbb7745f50eb59b7d7b1df5e1d3e3a2d2a5a2fe3e0ec598a737ed3f5c235267f6616c79bbbc4adeb17aa173d320d5da
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD50153c8ef7d73ae9afb9b36fde4f0f5ce
SHA1c9ad243a8b8763b0435e5c9ada12cd6b5a3e1d88
SHA25674a2183974ca6a507f7b6565a9e511ff5bb8715e85d0eaad991a4c8a30c973f9
SHA5125e0348b6fcaefeb48c109aa70d47b20aa54dec4bd280e720dbd70d7f4fc072e38fc4c9b0975baddb006767bd1c92cf578725b60fe8240d5ef38eb7a8b960354e
-
Filesize
12KB
MD5b08199362112a2e08f20b0d097179c65
SHA13d73e42dd093ea4d372a03c598fa72c6d97986b1
SHA256e3256ee772fa7166acb51366131140ad80de0e8a5f11554cc1af5d3fa604f778
SHA5128cf551a44f37fb557b19d79516b6442038916da81b390d8d1e36963052928a0dac1a9ace264edbe24c8d2b4da0b3c5c811f800e48d6997349b806937a47cb90b
-
Filesize
11KB
MD5d017f941d085a8d2be5987ee6341fcf7
SHA18d7042bcd3b4d2dc7bb85cb11fa072bbd4758541
SHA25627fbd5ee7e881b6b9b32e22b5c9a281c9bbcd71bbd47e4c89e7a5b6cd90b3ec4
SHA51234250c162b516d2d6d2c25d243b3fde338b52a9a96eda8b07cff7b67c7e8ad138d69ae52d6916b179d9a939c413b62d1eb227dad1d67bcac0ff7c493111e2d6a
-
Filesize
12KB
MD55d3f51d59086775be845f58bd1e6d545
SHA1d1782aa04cf0be4ac743c8f7422d19bed937bb0f
SHA2569584f4f5c1daed764631f556cba98d02e01dc7becad7432b2104a6008cf0a690
SHA512134098ff7434626826e3a34c729f0c164769b2f1ef586704c43c13fcbb3b4d89cd4425379e684fe9bbcf22a0f194f12b7be4fd0017b48db9617e2380dd9ec488
-
Filesize
11KB
MD54be839881484a37315f46a79ff3426d8
SHA1cd61c6292e7876dbce81e148ae3af4fdb536d01b
SHA2565256cbcde97cc2e8f5feff2f9ca0c999661da21c2433971cebd098eac7bb3a8b
SHA512aa1477fde7184e633c7bcdf650e61b0ec914d934020f74fd6ed948b0ca3dd6c6a3b6cd29974dae713354f236cb3732b6daf4dbe0184c6093bb8043888c9bd012
-
Filesize
12KB
MD5ce9fc566995b39b1c1b17ae410dc984e
SHA10c8fe103545b7816b800c9ba2dc398b25c67d50c
SHA256aab3457b952d1ace2571beb20f454700c4d79b39fadb112a7c676cd71e1eb11a
SHA5126c664f10687e600fa7df321b6abdc97be75661f2028b6f6b84fbdc6832236c95f67cd801a3fc45882be43b2cd0dd8ee70253b545d0c0114ddc7ac2e789a841ae
-
Filesize
12KB
MD55dd539aeae4465bb9e2e4ba7e49a7c4a
SHA1ca712a81c53f112d760806740aad1c4714d941ce
SHA256d0b0d31bb9d133c020fda9c1e2e90f9936703466e011b3577e2c92689127d79d
SHA51256679b3da1da4612faa50f6945e8c5ec30793204c067c97da180d38bf81ad4ec2a1934a4aa1e0bb169ad4ce1ee78de10e6052767a6c258cace04eb33b795de70
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
Filesize1KB
MD59aea097d8be9216531aeca7d6aa0fb33
SHA1c53e093d278bbddd3c5ef1f1bc0051306bcd20e0
SHA2562390ebc033637f4f9eeccb39ac54bc493e0826130d8e0dd8397010a48ba347bb
SHA512498ef0c812e493741f3f904c952d4a64eb0916eb0b710a088b73e465e502f5af67d06005aec2ba91cefb27d177591ed0880eba7b54be5b813275ab15005166ba
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
Filesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
1.2MB
MD57621f79a7f66c25ad6c636d5248abeb9
SHA198304e41f82c3aee82213a286abdee9abf79bcce
SHA256086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
SHA51259ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd
-
Filesize
283B
MD55cc1682955fd9f5800a8f1530c9a4334
SHA1e09b6a4d729f2f4760ee42520ec30c3192c85548
SHA2565562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3
SHA51280767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6