Malware Analysis Report

2024-11-13 17:16

Sample ID 241106-n71emaskem
Target Danger-Multitool-2.0-main.zip
SHA256 71050844beef6a2221e7a65df0f97646358b4aa41c12cadb85132c38d0a9effa
Tags
discovery babylonrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71050844beef6a2221e7a65df0f97646358b4aa41c12cadb85132c38d0a9effa

Threat Level: Known bad

The file Danger-Multitool-2.0-main.zip was found to be: Known bad.

Malicious Activity Summary

discovery babylonrat

Babylonrat family

Executes dropped EXE

System Location Discovery: System Language Discovery

Unsigned PE

Opens file in notepad (likely ransom note)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 12:03

Signatures

Babylonrat family

babylonrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 12:03

Reported

2024-11-06 12:13

Platform

win10v2004-20241007-en

Max time kernel

593s

Max time network

417s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 12:03

Reported

2024-11-06 12:05

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

96s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main.zip"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\edit\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.md C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\뭞뛳Ѐ耀 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\뭞뛳Ѐ耀\ = "md_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\edit C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.md\ = "md_auto_file" C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 3004 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3004 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3004 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1928 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1928 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1928 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2100 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2100 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2100 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 5060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 5060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 5060 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4136 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4136 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4136 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1220 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1220 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1220 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3412 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3412 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3412 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4952 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4952 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4952 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2780 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2780 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2780 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2388 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2388 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2388 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 952 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 952 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 952 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe
PID 2216 wrote to memory of 4348 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 2216 wrote to memory of 4348 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 3456 wrote to memory of 2592 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2592 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2592 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3728 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3728 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 3728 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4384 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4384 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 4384 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2292 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2292 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2292 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1848 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1848 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 1848 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2416 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2416 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe
PID 3456 wrote to memory of 2416 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main.zip"

C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO08D1F228\README.md

C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UninstallEdit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\892748945eb04daca028e0453b30bad1 /t 3184 /p 2052

C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe

MD5 1f491b029221bcbcc52f101effcdcd05
SHA1 0df19428a47dc69ff5fbf09ceb89169e8e3261e8
SHA256 6307526cdf7d6d87e41f57b43c2231e4a88cd65f974a72078ee247543c24241b
SHA512 c43c633a335361001e789cee9eed489a284b9f7f535e45ef2851d9c42dcfbcfb7ac83bac34fa9304643d93fb5edefd480c851294a720b261c98fc3c1b34de6e1

C:\Users\Admin\AppData\Local\Temp\7zO08D1F228\README.md

MD5 1578b4fd6f566e5315362ae30926a4b2
SHA1 ec02b4a2580491e426dc4f1139f8cd8c12770840
SHA256 c76414b13a2981641a279b008c131649457233d7d90429c696d46bdfbad57f01
SHA512 611713834a549cdc3e1862d69bad6cfb7f866981b4103c98b0e56215022273580562a156213501a720134953e21b6f9f1b8795cc807394b501c019dcc7f1aebf