warzonerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Banking-Malware/DanaBot[.]exe

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msedge.exe

Executes dropped EXE 33 IoCs

pid	Process
3348	WinNuke.98.exe
2180	xpaj.exe
5088	xpaj.exe
3644	xpajB.exe
3748	msedge.exe
3792	msedge.exe
1008	msedge.exe
5088	msedge.exe
1776	msedge.exe
2096	WarzoneRAT.exe
3016	WarzoneRAT.exe
4068	WarzoneRAT.exe
5008	WarzoneRAT.exe
2008	msedge.exe
2540	msedge.exe
3116	msedge.exe
3564	LoveYou.exe
1484	msedge.exe
4860	msedge.exe
1416	msedge.exe
4560	PCToaster.exe
4348	javaw.exe
2860	msedge.exe
2084	msedge.exe
376	msedge.exe
1160	msedge.exe
1304	msedge.exe
3096	msedge.exe
4900	msedge.exe
2420	msedge.exe
3080	msedge.exe
1840	ClassicShell (2).exe
220	ClassicShell (2).exe

Loads dropped DLL 52 IoCs

pid	Process
3748	msedge.exe
3748	msedge.exe
3792	msedge.exe
3792	msedge.exe
1008	msedge.exe
1008	msedge.exe
5088	msedge.exe
5088	msedge.exe
1776	msedge.exe
1776	msedge.exe
2008	msedge.exe
2008	msedge.exe
2540	msedge.exe
2540	msedge.exe
3116	msedge.exe
3116	msedge.exe
1484	msedge.exe
1484	msedge.exe
4860	msedge.exe
4860	msedge.exe
1416	msedge.exe
1416	msedge.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
2860	msedge.exe
2860	msedge.exe
2084	msedge.exe
2084	msedge.exe
376	msedge.exe
376	msedge.exe
1160	msedge.exe
1160	msedge.exe
1304	msedge.exe
1304	msedge.exe
3096	msedge.exe
3096	msedge.exe
4900	msedge.exe
4900	msedge.exe
2420	msedge.exe
2420	msedge.exe
3080	msedge.exe
3080	msedge.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2600	takeown.exe
3620	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	mountvol.exe
File opened (read-only)	\??\T:	mountvol.exe
File opened (read-only)	\??\f:	xpaj.exe
File opened (read-only)	\??\n:	xpaj.exe
File opened (read-only)	\??\G:	mountvol.exe
File opened (read-only)	\??\H:	mountvol.exe
File opened (read-only)	\??\M:	mountvol.exe
File opened (read-only)	\??\R:	mountvol.exe
File opened (read-only)	\??\r:	xpaj.exe
File opened (read-only)	\??\I:	mountvol.exe
File opened (read-only)	\??\K:	mountvol.exe
File opened (read-only)	\??\o:	xpaj.exe
File opened (read-only)	\??\q:	xpaj.exe
File opened (read-only)	\??\s:	xpaj.exe
File opened (read-only)	\??\V:	takeown.exe
File opened (read-only)	\??\A:	mountvol.exe
File opened (read-only)	\??\P:	mountvol.exe
File opened (read-only)	\??\Q:	mountvol.exe
File opened (read-only)	\??\W:	mountvol.exe
File opened (read-only)	\??\X:	mountvol.exe
File opened (read-only)	\??\g:	xpaj.exe
File opened (read-only)	\??\x:	xpaj.exe
File opened (read-only)	\??\Y:	mountvol.exe
File opened (read-only)	\??\Z:	mountvol.exe
File opened (read-only)	\??\h:	xpaj.exe
File opened (read-only)	\??\k:	xpaj.exe
File opened (read-only)	\??\w:	xpaj.exe
File opened (read-only)	\??\V:	takeown.exe
File opened (read-only)	\??\B:	mountvol.exe
File opened (read-only)	\??\E:	mountvol.exe
File opened (read-only)	\??\e:	xpaj.exe
File opened (read-only)	\??\j:	xpaj.exe
File opened (read-only)	\??\m:	xpaj.exe
File opened (read-only)	\??\t:	xpaj.exe
File opened (read-only)	\??\L:	mountvol.exe
File opened (read-only)	\??\p:	xpaj.exe
File opened (read-only)	\??\v:	xpaj.exe
File opened (read-only)	\??\y:	xpaj.exe
File opened (read-only)	\??\u:	xpaj.exe
File opened (read-only)	\??\N:	mountvol.exe
File opened (read-only)	\??\O:	mountvol.exe
File opened (read-only)	\??\S:	mountvol.exe
File opened (read-only)	\??\U:	mountvol.exe
File opened (read-only)	\??\d:	xpaj.exe
File opened (read-only)	\??\i:	xpaj.exe
File opened (read-only)	\??\l:	xpaj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
59	raw.githubusercontent.com
60	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PhysicalDrive0	ClassicShell (2).exe
File opened for modification	\??\PhysicalDrive0	ClassicShell (2).exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 1028	2096	WarzoneRAT.exe	152
PID 3016 set thread context of 2828	3016	WarzoneRAT.exe	157
PID 4068 set thread context of 1636	4068	WarzoneRAT.exe	161
PID 5008 set thread context of 2420	5008	WarzoneRAT.exe	165

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\npt.dll	xpaj.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\msedgeupdateres_en-GB.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\dual_engine_adapter_x64.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\msedgeupdateres_am.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\msedgeupdateres_ja.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdatl3.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadce.dll	xpaj.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\microsoft_shell_integration.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	xpajB.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tpcps.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\msedgeupdateres_iw.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL	xpaj.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PowerShell.PackageManagement.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL	xpaj.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SignalRClient.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\microsoft_apis.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\msedgeupdateres_de.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll	xpajB.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	xpaj.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\splashscreen.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tpcps.dll	xpajB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll	xpaj.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Selectors.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_tr.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadomd.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL	xpaj.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	xpaj.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll	xpajB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll	xpajB.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCToaster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClassicShell (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClassicShell (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3052	taskkill.exe

NTFS ADS 12 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 953354.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 196878.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 401850.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 913489.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 925042.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 413098.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 998767.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 590783.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 755082.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 539218.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 180698.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2664	schtasks.exe
1656	schtasks.exe
3840	schtasks.exe
3988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2916	msedge.exe
2916	msedge.exe
2192	msedge.exe
2192	msedge.exe
2316	identity_helper.exe
2316	identity_helper.exe
4324	msedge.exe
4324	msedge.exe
3804	msedge.exe
3804	msedge.exe
3232	msedge.exe
3232	msedge.exe
1100	msedge.exe
1100	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
1776	msedge.exe
1776	msedge.exe
2096	WarzoneRAT.exe
2096	WarzoneRAT.exe
2096	WarzoneRAT.exe
2096	WarzoneRAT.exe
3016	WarzoneRAT.exe
3016	WarzoneRAT.exe
3016	WarzoneRAT.exe
3016	WarzoneRAT.exe
3016	WarzoneRAT.exe
3016	WarzoneRAT.exe
4068	WarzoneRAT.exe
4068	WarzoneRAT.exe
4068	WarzoneRAT.exe
4068	WarzoneRAT.exe
5008	WarzoneRAT.exe
5008	WarzoneRAT.exe
5008	WarzoneRAT.exe
5008	WarzoneRAT.exe
3116	msedge.exe
3116	msedge.exe
1416	msedge.exe
1416	msedge.exe
3080	msedge.exe
3080	msedge.exe
424	msedge.exe
424	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3644	xpajB.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	WarzoneRAT.exe
Token: SeDebugPrivilege	3016	WarzoneRAT.exe
Token: SeDebugPrivilege	4068	WarzoneRAT.exe
Token: SeDebugPrivilege	5008	WarzoneRAT.exe
Token: SeTakeOwnershipPrivilege	2600	takeown.exe
Token: SeDebugPrivilege	3052	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2192	msedge.exe
2180	xpaj.exe
5088	xpaj.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe
4348	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 424	2192	msedge.exe	85
PID 2192 wrote to memory of 424	2192	msedge.exe	85
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2060	2192	msedge.exe	86
PID 2192 wrote to memory of 2916	2192	msedge.exe	87
PID 2192 wrote to memory of 2916	2192	msedge.exe	87
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88
PID 2192 wrote to memory of 2948	2192	msedge.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2300	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Banking-Malware/DanaBot.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe54e446f8,0x7ffe54e44708,0x7ffe54e44718
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2180
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:5088
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6616 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6A2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAA9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD046.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3840
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2F6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Users\Admin\Downloads\LoveYou.exe
  "C:\Users\Admin\Downloads\LoveYou.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6664 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Users\Admin\Downloads\PCToaster.exe
  "C:\Users\Admin\Downloads\PCToaster.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4560
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4348
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +h C:\Users\Admin\Downloads\scr.txt
      4⤵
      Views/modifies file attributes
      PID:2300
  - - C:\Windows\SYSTEM32\diskpart.exe
      diskpart /s C:\Users\Admin\Downloads\scr.txt
      4⤵
      PID:1716
  - - C:\Windows\SYSTEM32\takeown.exe
      takeown /f V:\Boot /r
      4⤵
      Modifies file permissions
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:2600
  - - C:\Windows\SYSTEM32\takeown.exe
      takeown /f V:\Recovery /r
      4⤵
      Modifies file permissions
      Enumerates connected drives
      PID:3620
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /im lsass.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol A: /d
      4⤵
      Enumerates connected drives
      PID:2968
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol B: /d
      4⤵
      Enumerates connected drives
      PID:3840
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol D: /d
      4⤵
      PID:4040
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol E: /d
      4⤵
      Enumerates connected drives
      PID:1920
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol F: /d
      4⤵
      PID:2516
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol G: /d
      4⤵
      Enumerates connected drives
      PID:4376
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol H: /d
      4⤵
      Enumerates connected drives
      PID:2920
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol I: /d
      4⤵
      Enumerates connected drives
      PID:4472
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol J: /d
      4⤵
      Enumerates connected drives
      PID:5116
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol K: /d
      4⤵
      Enumerates connected drives
      PID:3764
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol L: /d
      4⤵
      Enumerates connected drives
      PID:700
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol M: /d
      4⤵
      Enumerates connected drives
      PID:3820
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol N: /d
      4⤵
      Enumerates connected drives
      PID:3592
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol O: /d
      4⤵
      Enumerates connected drives
      PID:444
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol P: /d
      4⤵
      Enumerates connected drives
      PID:768
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol Q: /d
      4⤵
      Enumerates connected drives
      PID:740
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol R: /d
      4⤵
      Enumerates connected drives
      PID:4960
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol S: /d
      4⤵
      Enumerates connected drives
      PID:3468
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol T: /d
      4⤵
      Enumerates connected drives
      PID:4668
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol U: /d
      4⤵
      Enumerates connected drives
      PID:2900
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol V: /d
      4⤵
      PID:4292
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol W: /d
      4⤵
      Enumerates connected drives
      PID:4548
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol X: /d
      4⤵
      Enumerates connected drives
      PID:4284
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol Y: /d
      4⤵
      Enumerates connected drives
      PID:364
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol Z: /d
      4⤵
      Enumerates connected drives
      PID:4088
  - - C:\Windows\SYSTEM32\mountvol.exe
      mountvol C: /d
      4⤵
      PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,9950605209614262151,2255800666159188832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\Users\Admin\Downloads\ClassicShell (2).exe
  "C:\Users\Admin\Downloads\ClassicShell (2).exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Users\Admin\Downloads\ClassicShell (2).exe
  "C:\Users\Admin\Downloads\ClassicShell (2).exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery