crimsonrat | hxxp://my doom download

Analysis

max time kernel
363s
max time network
377s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-12-2024 11:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://my doom download

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00030000000006a1-537.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Njrat family
njrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (553) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
456	netsh.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 12 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8A88.tmp	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8A9F.tmp	WannaCry.exe

Executes dropped EXE 47 IoCs

pid	Process
3872	NJRat.exe
2068	NJRat (8).exe
396	NJRat (9).exe
3900	CrimsonRAT.exe
3112	dlrarhsiva.exe
1624	CoronaVirus.exe
2788	CoronaVirus.exe
65964	NJRat (8).exe
66464	NJRat (9).exe
66472	NJRat.exe
73268	CrimsonRAT.exe
36544	dlrarhsiva.exe
37232	CoronaVirus.exe
37400	CoronaVirus.exe
37748	msedge.exe
63148	msedge.exe
37912	msedge.exe
38068	msedge.exe
38164	msedge.exe
38236	msedge.exe
38432	WannaCry.exe
38724	!WannaDecryptor!.exe
40112	!WannaDecryptor!.exe
40168	!WannaDecryptor!.exe
40224	WannaCry.exe
40320	!WannaDecryptor!.exe
40444	msedge.exe
40736	msedge.exe
40780	msedge.exe
40980	msedge.exe
41076	MrsMajor3.0.exe
41200	eulascr.exe
42028	msedge.exe
41960	msedge.exe
42648	msedge.exe
42592	ArcticBomb.exe
41672	msedge.exe
41660	msedge.exe
42768	msedge.exe
42480	msedge.exe
42368	MEMZ (1).exe
42244	MEMZ (1).exe
42192	MEMZ (1).exe
42816	MEMZ (1).exe
42836	MEMZ (1).exe
42860	MEMZ (1).exe
42876	MEMZ (1).exe

Loads dropped DLL 18 IoCs

pid	Process
37748	msedge.exe
63148	msedge.exe
37912	msedge.exe
38068	msedge.exe
38164	msedge.exe
38236	msedge.exe
40444	msedge.exe
40736	msedge.exe
40780	msedge.exe
40980	msedge.exe
41200	eulascr.exe
42028	msedge.exe
41960	msedge.exe
42648	msedge.exe
41672	msedge.exe
41660	msedge.exe
42768	msedge.exe
42480	msedge.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/41200-26144-0x0000000000680000-0x00000000006AA000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2584844841-1405471295-1760131749-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2584844841-1405471295-1760131749-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
73	raw.githubusercontent.com
99	raw.githubusercontent.com
120	drive.google.com
10	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ (1).exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001b00000002af0d-26212.dat	upx
behavioral1/memory/42592-26241-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/42592-26243-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\StoreLogo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-400.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-30_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\GetHelpBadgeLogo.scale-100_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\MAPISHELLR.DLL.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\PackageManagementDscUtilities.psm1.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\ui-strings.js.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\ui-strings.js.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SnipSketchStoreLogo.scale-100.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.9.2002.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\ui-strings.js.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GetHelpStoreLogo.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-20_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-150.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG	CoronaVirus.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-64_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-60_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\ResourceDictionary.xbf	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.schema.mfl.id-4B62598E.[[email protected]].ncov	CoronaVirus.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat (9).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat (8).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat (8).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat (9).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat (9).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat (8).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
36824	vssadmin.exe
47996	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
38732	taskkill.exe
38756	taskkill.exe
38748	taskkill.exe
38740	taskkill.exe

NTFS ADS 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NJRat (8).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 625566.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 982380.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 409767.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 594825.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 783521.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 611056.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 873104.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 449384.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 836028.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 560718.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 833799.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 584113.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 665566.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat (9).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 564320.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 818691.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 944951.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 619481.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 224677.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 968591.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3856	msedge.exe
3856	msedge.exe
4628	msedge.exe
4628	msedge.exe
2180	msedge.exe
2180	msedge.exe
3684	identity_helper.exe
3684	identity_helper.exe
4284	msedge.exe
4284	msedge.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe
3872	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3872	NJRat.exe
4628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: SeDebugPrivilege	2068	NJRat (8).exe
Token: SeDebugPrivilege	396	NJRat (9).exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: SeDebugPrivilege	65964	NJRat (8).exe
Token: SeDebugPrivilege	66464	NJRat (9).exe
Token: SeDebugPrivilege	66472	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: SeBackupPrivilege	36896	vssvc.exe
Token: SeRestorePrivilege	36896	vssvc.exe
Token: SeAuditPrivilege	36896	vssvc.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: SeDebugPrivilege	38748	taskkill.exe
Token: SeDebugPrivilege	38756	taskkill.exe
Token: SeDebugPrivilege	38740	taskkill.exe
Token: SeDebugPrivilege	38732	taskkill.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: 33	3872	NJRat.exe
Token: SeIncBasePriorityPrivilege	3872	NJRat.exe
Token: SeIncreaseQuotaPrivilege	40552	WMIC.exe
Token: SeSecurityPrivilege	40552	WMIC.exe
Token: SeTakeOwnershipPrivilege	40552	WMIC.exe
Token: SeLoadDriverPrivilege	40552	WMIC.exe
Token: SeSystemProfilePrivilege	40552	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
38724	!WannaDecryptor!.exe
38724	!WannaDecryptor!.exe
40112	!WannaDecryptor!.exe
40112	!WannaDecryptor!.exe
40168	!WannaDecryptor!.exe
40168	!WannaDecryptor!.exe
40320	!WannaDecryptor!.exe
40320	!WannaDecryptor!.exe
41076	MrsMajor3.0.exe
42368	MEMZ (1).exe
42244	MEMZ (1).exe
42192	MEMZ (1).exe
42816	MEMZ (1).exe
42836	MEMZ (1).exe
42860	MEMZ (1).exe
42876	MEMZ (1).exe
42860	MEMZ (1).exe
42244	MEMZ (1).exe
42192	MEMZ (1).exe
42836	MEMZ (1).exe
42816	MEMZ (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 2884	4628	msedge.exe	78
PID 4628 wrote to memory of 2884	4628	msedge.exe	78
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 704	4628	msedge.exe	79
PID 4628 wrote to memory of 3856	4628	msedge.exe	80
PID 4628 wrote to memory of 3856	4628	msedge.exe	80
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81
PID 4628 wrote to memory of 5016	4628	msedge.exe	81

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://my doom download
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc67443cb8,0x7ffc67443cc8,0x7ffc67443cd8
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:1096
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1152 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1624 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7340 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:760
- C:\Users\Admin\Downloads\NJRat (8).exe
  "C:\Users\Admin\Downloads\NJRat (8).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Users\Admin\Downloads\NJRat (9).exe
  "C:\Users\Admin\Downloads\NJRat (9).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:3900
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4896 /prefetch:2
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7508 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4032
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1624
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4608
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:36528
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:36824
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:36468
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:36772
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:47996
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:36536
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:36632
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:26780
- C:\Users\Admin\Downloads\NJRat (8).exe
  "C:\Users\Admin\Downloads\NJRat (8).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:65964
- C:\Users\Admin\Downloads\NJRat (9).exe
  "C:\Users\Admin\Downloads\NJRat (9).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:66464
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:66472
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:73268
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:36544
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:37232
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:37400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:37748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:63148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7172 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:37912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1576 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:38068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7640 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:38164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7600 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:38236
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:38432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 65111735125988.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:38520
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:38572
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:38724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:38732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:38740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:38748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:38756
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:40112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:40120
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:40168
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:40480
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:40552
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:40320
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:40224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:40444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:40736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:40780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7316 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:40980
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:41076
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F317.tmp\F318.tmp\F319.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:41148
  - - C:\Users\Admin\AppData\Local\Temp\F317.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\F317.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:41200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:42028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:41960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7480 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:42648
- C:\Users\Admin\Downloads\ArcticBomb.exe
  "C:\Users\Admin\Downloads\ArcticBomb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:42592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:41672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7568 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:41660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:42768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,7432446895506376771,5627115845283154096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6948 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:42480
- C:\Users\Admin\Downloads\MEMZ (1).exe
  "C:\Users\Admin\Downloads\MEMZ (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:42368
- - C:\Users\Admin\Downloads\MEMZ (1).exe
    "C:\Users\Admin\Downloads\MEMZ (1).exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:42244
- - C:\Users\Admin\Downloads\MEMZ (1).exe
    "C:\Users\Admin\Downloads\MEMZ (1).exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:42192
- - C:\Users\Admin\Downloads\MEMZ (1).exe
    "C:\Users\Admin\Downloads\MEMZ (1).exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:42816
- - C:\Users\Admin\Downloads\MEMZ (1).exe
    "C:\Users\Admin\Downloads\MEMZ (1).exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:42836
- - C:\Users\Admin\Downloads\MEMZ (1).exe
    "C:\Users\Admin\Downloads\MEMZ (1).exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:42860
- - C:\Users\Admin\Downloads\MEMZ (1).exe
    "C:\Users\Admin\Downloads\MEMZ (1).exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:42876
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:42968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:36896

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\72a1919c9bdc4359b869a2f129ca6559 /t 36636 /p 36632
1⤵
PID:37128

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\09e14c2401524f1c8bf590437d6d8034 /t 36540 /p 36536
1⤵
PID:37260

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:37488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-4B62598E.[[email protected]].ncov

Filesize
2.7MB

MD5
d6e643eda5bc03ca38267a1f200be132

SHA1
05012121e83a1317a131c5f7f4e31e2dd5873f90

SHA256
1d254c7a82e1baa38859128101d646d5e18ba6bee9e87426c64dfee64e1fcd17

SHA512
61696f563dc5f98b992c1c955e075a41a43b88bcd569090ef681db250eb6287aea2c84c5adfd07fb4404f0a918571eb395c04fedd7956746fdae9bb675a4c6e3

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
e3b2f44eebca4fb56fa87b3ca91902b9

SHA1
f233f5dab7fbfde1efa664f57589e8f98e8366b1

SHA256
6ab6e4fe2bd51fb2a08bf92a7f89b35062e37becefb656693bd5777f1f00cf59

SHA512
5e17601f4891db526edb34961d639fdf9522e4aa01da5607467ba77b8feda5adc3dc69d14d13d3525192737949d2217fb29baaf4305e9ec4a81a39dd31c357d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NJRat.exe.log

Filesize
319B

MD5
2a0834560ed3770fc33d7a42f8229722

SHA1
c8c85f989e7a216211cf9e4ce90b0cc95354aa53

SHA256
8aa2d836004258f1a1195dc4a96215b685aed0c46a261a2860625d424e9402b6

SHA512
c5b64d84e57eb8cc387b5feedf7719f1f7ae21f6197169f5f73bc86deddb538b9af3c9952c94c4f69ae956e1656d11ab7441c292d2d850a4d2aaa9ec678f8e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fe3c550649d67d85bdfe641bbe20b646

SHA1
ac931a90f79114a0242d24a347cd5990c508191d

SHA256
19de38ce334c3b72f2f9d06427d066bf5cb41678bfdea4d905b60628f569d02e

SHA512
83c4b8069002a24a9998ddb1662edd068c649d851554883d512cffba23c14f71284f365843118d0413218aa25aca7234c8fde8ed383227c55081c6e9674ef9a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
178ff0b580b880f6848fc3586a128511

SHA1
135db9c4ad78ce7617a4f2e91f12fee7074a3011

SHA256
436bf13cfb1d7c0e6d3da5a2e4b34cb17c04f7a6feb4fcdf890977054fc1d064

SHA512
594c9fea6df9dd60a154afef7f415a9b1398f7036c9936a11b9ba38beeca92c577423d4fc2b14d7ddc5d453ae6a738ca74344b5baa9ff2cbe9ae018959024a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
09b27b1dbe00c2f9aa2b43d9b20aff31

SHA1
43bf165c8a232b247a25e726810806e48e0018fa

SHA256
5cf7813839a1c9c87fe2d1075ad873c1eb0dbfbb37b819c00d08adbd9a14ad5c

SHA512
0ee1929f33b07ba8f5aa32ef0556fe790e5d59b731f6c2a2d9ce4b50f7231fc2f10a8ce983df8a8dfd6d8d58525cbc8aabec0b549a52b0760ef254ea01736ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1009B

MD5
8ef5e59e32213bc65062bf4f5383da63

SHA1
6e09fed7de64ba317a35ecbef8fd4c816d582fea

SHA256
8ab1d408dd9292d1d614db82d70f1eefd70b4744e8e83f8a3ce6643e0a11135e

SHA512
0fc042dd0bb4f8c3f04ff5956e7da9fa6283104eca2aae4c35c61be8b510c0aff2c9ade7c40b546f6c28503567e5c01ed4caaba741cd2013ad3aaf2a27cc26ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
805a973d4b688604bb9b9ccb247008d7

SHA1
7ecf8cb8df34b8a75133e658c2c9d5d751b6f89d

SHA256
583caec7ca00a66544e5ab93198fea0c252b2d09b60fd9af6320aa7a11c9252f

SHA512
7492b5d8a3bb14eb15519fe1329ebd30b3513b3086155c6e84eec4049870cda15ece434b456040ce4cd51245f58fdf9d49b9337e7d7163c91366f8d3534ee985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d398dadfda20eb5ca9558a926088374c

SHA1
8f61e32136b1dae0d9c89559cb0cc6d1a0f2c561

SHA256
11cf6f4a65c21fd91e696e71d1b1706bdb6b12413bb158fafbf663bb28b14130

SHA512
8ad9f0d18a1ee3c76d7d5785d9033c6111061130ff3a0a779ca946caa2d84381a5928e2b06544b427232824009a4c71488dde4ac2b207dfeac38ab83ceaf0ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd5245f02ede02323ed0e68ab515df81

SHA1
b3d368979be186aa0998f202ebda0333a2acfe96

SHA256
fa2742835746378eefcf9248784763bde4004cc7dcff8a7830d85f5f59045383

SHA512
6896cd32f3569bd07886f36b04fee7b9c6b85900c04ca47f05ede24b6b7d453d3698fad438710998c722d29d0169e6fb24379fb2ae99ba07087b9d122404fe84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12b18637529b3c0264d7943aeec4ce30

SHA1
cea46ec6ab8b9d045a1bb1d4f64c82613166a8b2

SHA256
2a9ee6db0be1ed3e7cb654bdf80f8df4624e07d788c920a2f0cc5b76cc8afe0f

SHA512
92017afa65ffc9926a7b7e602deb63f77a8246f74132e58b3b073a6f0c7060834afca2b429e0f6a97047a1398c4328c549a19c1b0139369ec1ffb98b8cd5a2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8dae3e6e1ab90971c27795b3fb59651c

SHA1
d9c25a9e429536469db19c46e2af128aa26de502

SHA256
f418086bc4f73a54db6bfb8c5fc1210758f7d17fa9a0d0c28f613809fd5284e1

SHA512
f4dd3d4e4c20a57254f416f566ab68e7a580058d05728bccbe80db784eff5270ac37000e8ba1a5122c9c7991b6485a2a7a849ed83734346da668df4c42b91024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc3bf82ef6a4eecfb0741ddb21b63f47

SHA1
254de49810839317667834fde69b14212b40eea8

SHA256
bbe279bd33a4fa40c8ffa7002881933e07c909549199129ac1590de5d92af267

SHA512
9459da1817c0968c8d2e30225b32b3dc70aa787e3c42f089adc4d4ca8ba1d895adf02936f559ec436a868bc7c9d1fda1f74a1e4bb609d078eecdc9996d4d0b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45cd6f120eb5970bbfba9c7d67dd2540

SHA1
4694eff4c83c935e222c1a41a0f5c68721a321b0

SHA256
45b2e478f753b67894c757aae10bbbcae4fd53a66af96e68729d616e8d2df4ca

SHA512
d5cb557d0404f80efd86c33f1c53511c9c0986b8310dc28c783f98d417fc5f763cf6c8d43aaf2079e9fb076c869b143aa51ee35b1de4e6a9bafc159af37ae7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f02483a2e725046f0cd5c57d18d0130b

SHA1
8658466f8e18d62fd4cee2ad6c34f0524d10261d

SHA256
cbc27ba86a87332459fa888e2c66c277e095831fbd8227b84fe156aaa4c4db9e

SHA512
184bc7c7ea858ea3e472687a0fc8b5ecb3970250c31dbfd835d0ca8629f60fe0d64e9552a9afb86728870a31d1e9833d54cde9ac680384c4bdf5ed5514251856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
abf2a188a683d74e1d398b88107d49d8

SHA1
e048d5351e1aed8bb4fb10ba89e1acab8cc3f16b

SHA256
ed4c36f9cb928a690a4b574697a2e30054d62ffa2ea43c09085dd0934ec4fc2c

SHA512
c29a3b4dd1e87d36ca1475a99c1f6d6ac0aaba0016dd83d4a3ba984e2e49205677edf0a86b1b4b702d7c513d9717d4c7222e022a986fcc82e269674463ab40b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cbc555c27f3b81c0bc6baff4101490ce

SHA1
9c14f5266e7b0a36989afa82aed31b90846f3fe1

SHA256
aba2b8b2e791e98c53a6fcda002a1a7135568011d0b982782d72f73c2ea8a47b

SHA512
7bcc93db923592d1feadff22703f0ef25070cb59edd8f45a6c98fd802e4dc488b1888ee9c6622bbf490b5690aa45a617758901dfe7eb52389cbf7f51b1252f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7d98d6698116fcdab7c597b4585d54b

SHA1
09e3f5dec43719f1209e46e9c5bd978d2e924c89

SHA256
f017431e3c8b1ea3f3528e665a00e7b2c663cb906b763b7b9a29d172ba24064e

SHA512
60ad5f9a78fb36c2647b93347bb09bbb07b9a51d8652ee4e27839e4c0382804ad6109d67893390d47e2c38192f5d074d52e7f80e3069a90da7aa1a797372194e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
21d92ef4a254c932d7fd5a4309bcbfd5

SHA1
6652400f71db900c3629188ac3759ab97733c17d

SHA256
a641131d2e1c68937b7b100a0d00e84126713ab107a32f4ac72320389f3605e8

SHA512
4cfb0e2666713eb5d0c3eb832f15cce74d754d145da05edc57caa4e84ad181f3235ea26b8828311ea658d23fc77144f5de3fffc83bedd48860122fac7a133559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3b3f85725669bd0bcf34bba927e2bcea

SHA1
583152c2bc25d896eaf0cc482b9da3259f151210

SHA256
51acb49d34ea0844bfda85dfa8dfe50f9bfd113553db083061e2aa0704170b60

SHA512
32259bd0f080618a30dc67b8a8a731422c5c4a4e647a9daf5271afa7d2266ac587cd0231c22eb6f483cbe96491a15a658d797d4fac964282cf4465fd211cf311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
25e0f36ff4c9ec807e30250486cf88aa

SHA1
7fd851921328efe8ed5c6d1f2bc87c16c4cb68c5

SHA256
7f8eebd77b1321e06301dfcc14e0b603c9aca22486bc577b3bea46ac9273241c

SHA512
1098d9256acdddb01e8db3a43329ed7e18b6315b687eb60d59ba465de8436b7d55fd8870b1c08e4fdf2ffe18a7874accb608e9b879152b284686506a8a89eb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2bbdf3279da11c50068a5fc90345b62

SHA1
dd6d822f87a249234dfbbad1922766492a0a6c63

SHA256
060801915e7ba9a7fefbfabb1ce2d9a536ce72603876f008acc4add9dc86dda8

SHA512
46a5a0b99f87b9ed9a344356313052f38732c02209373c5525ef7d191bc487d6300731362fb31554c464ebe0d0551adc9bbedf6965f11ce62bc40c7bc32ee646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f2ca432b265061a8b2848259d669734

SHA1
e38736f21fd3ff18270a88d1ad3676364bfc3c0e

SHA256
d4f8ad1c8c25fbf260c88f2398a32ed4b2fca0c05f0a8d26196e10b46b5b095f

SHA512
e33fef32f9144a5baf9818c3ce3011fa0e3fc64d02b7474f958f753142ad2b00cbac43070c80945e87e5b2fc436bd06e61d533be07005cc0b27b2a19c9e9bad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f19c9c76afc5d8be41f0c44beeddb0c

SHA1
3a342ddc183bc48b3c3bb91867acd2ed0905ec63

SHA256
3329c5e1a9e292f08ad3a852d25ddcc5361e7f769022c85317a60519b60da6e8

SHA512
90d2eaf465f739ca11de36afbf6d4511c4f94e8d52284ce1f7e97504f2e918516d81c3f48ddb80481d081591d8d94ae88a56526d77f90aa314d1ef1363e7c1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4efd96c0b515bc9eb9c680ac24e02470

SHA1
0b09723af6886f81420038bac2c05d418f8342fe

SHA256
ec654b6647432dcdcf0c28e6c419b476c302dc7c8d0d365d60a472308be04106

SHA512
2de72675cfa5b0d68fb3742d84e261e39c6e125c647b57ef159ff4682f4c8c550c7a8b5be2f7a34e64443765dbf8ee411aa64d2fd08fc5544eebc745fa13199c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
714e3bf5b199010d18f98c3cdf41996b

SHA1
45651311b80116087e6a39d1a847e3c7fdc9300c

SHA256
dac7f54be3d3d5d811d2a9a6bb688e135cb6a86730d4062077e6351217539688

SHA512
48c0d730a4e74ad822ed6196668e3bda2cd6da1cb90bbfa2a71ff35bc497d0795e1deb94927d212634b076d3bfd42737e588064f4cc26fbead3720b687258f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
88f102a40703af00461b56504d9c137a

SHA1
cd9d320da1cb4cf63ffc8bb23dda5f6a5262daf7

SHA256
67ea84a7c95906813387dfc712213deafee72c3ce160cd644a49f3ddd53d0901

SHA512
e41b619111436f4d8e583a1761201ccbc9c73d82e35b5ba801d701cbe79634ed82bdb774a5b42411f6eedafd6bf2cad03d514f7d2d4feb66d1018d1409ed016e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
364c6ee05cb3d0934142013c7ae0ce4a

SHA1
180920bda2f3fa4c907324265d633508e712e905

SHA256
6190460e35eaede6600335059decc5ee99b43a5ff6b4f769b10ce3b9a22164f2

SHA512
394016ce3b89a75f93c117d6dec69ab1b4d9dd70f89c95c7b1dc5a158c52c21b8fb766e5285dcf275aa2cce252f4cc9af7ae12e5aa5ef509a87de319515dd214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd7c94fce3658a9cbf40d3212be612d4

SHA1
42c8786aa59ae7d0eaa57d2756d4aa6fdde45a97

SHA256
d51b84917979768c2b75557651f8afa75276658835979345e498fc374397221d

SHA512
b0f022de14fc3385b90b07dcfaec744ceba32d7fc3d173489cc08e6350efaa54c3aec2f2a6e590f26cf96adf2520ec9f7afa72e6348d077fc28fb245f6aec9be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7cc09775067ab53fdff878b9fafc0a4e

SHA1
27d2ce12a9fa1e45876701716fca2fe50c596fa7

SHA256
7facec75c96d70d42cfa7b30836b821557e42903560343fda3f7399df98cbf40

SHA512
1da8c4a6b7e37c56640a49117ba38b5225d37d2dce368ffbdbd6c04988dbd273be135457a9f820a4366838317f47447067836db7cfa4d8327112dcbae44b2728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
799e05ec19c36bc7900ddae5f50682b2

SHA1
dae2488b8ab80700af309202f0995dc91d3f8385

SHA256
1bb17d10792d1be611a88f10d5b1a7cb79af17be3afd3d6be7c3e3ed05bdee2e

SHA512
35dba22f35d5e71514536d7ea251f221452a7ae7b883498d8ca19d50171eb0b7cef7b5c57998fd90da54a3edeff7bcdf3b4296f08536a3eba7f8faf9754d851d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583b7d.TMP

Filesize
534B

MD5
bbd6e8351ebd171d75512a2b018850d7

SHA1
e2ca4641d17ac2661a7787728a102d5f97533972

SHA256
2fcd2380d87783c42b196953cb57ba6b5fd20b1d5dbca1b4ad4988845a11729b

SHA512
70afe82234f07b84cfce6ed0ee65b7b7b3cf98aa29192b13f225ef50cee10bbfd375ca166c20edb65325506d945659e8be8cd9d5dc468d249604be128ed45219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a87b0.TMP

Filesize
1KB

MD5
0a6976c6071e21d5b8f9ae4117093246

SHA1
475325f97343c12419b8bb10d6c33ecc4aa5c079

SHA256
becfcfeb8bfbb8b1d9de6c46e2a4456fb3fe3d21d10b9ad6f690bd608e215fd7

SHA512
ce57af829cdacd384f2c52319e4b3fcd4c5af8bb7f33d418684f3ff0e01baf989fe5f28641203cf1edeec063a21a55843fb195dead277f27ea46afa9fb3cbe1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b14a42e34b52a145c57ea3e58c96f9af

SHA1
b91758df295ef109f63c3c354cdc9c1dab08a65c

SHA256
8a7e895402ac3f871111103f3d7c453deb99bf0f5f70250da09f2242072d586e

SHA512
614a667859067b1c8d2f1266248bf3f5eb15acc50f2923a27ed5b395a56b1181c97090e46b5106f7575fbfc7478690be782cc8c380cf65509356cb7334f555de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3bd5e35b1bf3951cc58374b6cced788e

SHA1
f6bd35ff46f21417734288578584780bd02edeb7

SHA256
3f32a6df3bfd5c0c55eb810cf604ed4369dcaa17855a1b29b66f42ea7fd7f27c

SHA512
b7c4429ea697a4e656fc61d59577aab19bfc087222e670fac352518d6d000ac59ee95fae1611c01a10e4251619ce9c16d4bfd0119774505bb5923a8812e18bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c21b1abe1b5e65b1f255ab3b48736a62

SHA1
65dc665b6386d889e428ee9334d5ef9ba14c9436

SHA256
81c81a5ff9844483ceb89df135e9d8d13c25d7393aadcc88239b1bd7d6edba3d

SHA512
52b0cd3ffccc27ab8d649c2a61dca5f2b06d971f5f41609fd2f5526469a131603e82ccb5bb99c15c701b9d58047bf4f03fb269c3a186218bc9d47db87bc9b03d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d40bc11ddc123f8351b4cb156ba3718c

SHA1
291f66f6edd581b87c051fbb1ac17cc079142ec5

SHA256
96fc0dd424d7a4a21eaa2e82713849ce8d0f886a7944de32c6db2ae3f6f8c38a

SHA512
69a526d981ab5ed57d4f38192a3b431f2488902a03d6c7b8b2002660b7d232c4947df180e9907ba1a6c97cf99b9ca2bc1a32622801f1715f30d4005a3f3fa640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
16a6cfd82da4e1ad789b024fbaf9848d

SHA1
2e34b22aea232927bd998db98f2f4f47ebde4f0f

SHA256
8bdf895ee7b895b2a7618d05d3a75ad2954cbcdc476ffd33c3975ed3ad2c79f5

SHA512
528fcc693a3b607a847ab17e14350ea358668650b37f8c5ef3a27d05a2501973fab44a81e898004354ac530d2ce58fcfa094352d9e2010b46a5c887d26110d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf9a5f5efc14c9eb4e3a5d2d971fb2e9

SHA1
7e10fc9c7b4caaaff2ef8833a0874f6720f48d98

SHA256
fe134ff636134d2e4fd38a9389e5d50371059008d0e880ee9fb678d72257ecc1

SHA512
e5846d61859787cd39b7b9b367c2393da2f68b50daa1fbe677826b67ee49bc8f050b92186c3a48755f8afe110e185b579072ccc1e20b19d11abd321ea0ac0354

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
cd634452ef30243a3424cb942472a65b

SHA1
8bd3c7cae5e5727a03ff92a15a695f8cec059021

SHA256
45402a0770db11f5a54ed0638e0be7d956a7a013a086214c71c03f25852196af

SHA512
90c27997e58885455cbf9745baa113dac3421edce433227fb36306189e3bafbf15ede4973799691002962cd0ca4777c66c1bc70a5e0cb5547c3faec0a316c846

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 224677.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 409767.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 584113.crdownload

Filesize
125KB

MD5
ea534626d73f9eb0e134de9885054892

SHA1
ab03e674b407aecf29c907b39717dec004843b13

SHA256
322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c

SHA512
c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 625566.crdownload

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 783521.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 833799.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 836028.crdownload

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1624-17016-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-772-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-786-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-9667-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-12429-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-774-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3112-546-0x0000026E21960000-0x0000026E22274000-memory.dmp

Filesize
9.1MB

Download
memory/3900-513-0x00000167211B0000-0x00000167211CE000-memory.dmp

Filesize
120KB

Download
memory/37232-25700-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/37232-25698-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/37232-25677-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/37400-25697-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/37400-25702-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/37400-25705-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/38432-25786-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/41200-26152-0x000000001D560000-0x000000001DA88000-memory.dmp

Filesize
5.2MB

Download
memory/41200-26151-0x000000001CE60000-0x000000001D022000-memory.dmp

Filesize
1.8MB

Download
memory/41200-26150-0x00007FFC507F0000-0x00007FFC5093F000-memory.dmp

Filesize
1.3MB

Download
memory/41200-26144-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download
memory/42592-26241-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/42592-26243-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads