asyncrat | 1d2dd29ed3e57eb0da6ed185cc2ebe7f69985953a3c214c4ba47c4b4e915fec8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe
Size

21.2MB
MD5

3c31ae3a0e6825a0e37ae6a662ea5afa
SHA1

5fd70780a64c8386e365c598b2e766858967aec5
SHA256

1d2dd29ed3e57eb0da6ed185cc2ebe7f69985953a3c214c4ba47c4b4e915fec8
SHA512

56732de6ed6519fcad796004d195ad042686322928f56cfeacc5b731e1437c205aee9cfb1694ec64629a16b71962a28eb8fdd06c55d0e59cd41b32c34068baf0
SSDEEP

393216:roWcToMPDllAY4l81+I833ZvjG1ZMrCzMjauPIyPQJtAiB:Sp7V4Fb5bG1CM8augyIMi

Score

10^/10

asyncrat blacknet nanocore njrat xmrig bot client default evasion execution keylogger miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Client

dontreachme3.ddns.net:3604

Mutex

EdgeBrowser.exe

Attributes

reg_key
EdgeBrowser.exe
splitter
123

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

https://furyx.de/panel

Mutex

BN[e5decf896675e5ecc7bbef8ebff8a786]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
50651597687556f33b7fc75d90350b99
startup
false
usb_spread
true

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

dontreachme3.ddns.net:3601

dontreachme1.ddns.net:3601

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
EpicGames.exe
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

dontreachme3.ddns.net:3603

dontreachme1.ddns.net:3603

Mutex

19a5c2b0-5593-40da-9945-6c6b53e85d75

Attributes

activate_away_mode
false
backup_connection_host
dontreachme1.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-15T15:45:18.745530536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
3603
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
19a5c2b0-5593-40da-9945-6c6b53e85d75
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dontreachme3.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5280-600-0x0000000000400000-0x000000000041E000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/5280-600-0x0000000000400000-0x000000000041E000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

WinExplorer.exeexplorer.exeWindowsExplorer.exeFirefoxinstaller.exeMicrosoft Compatibilitys Telemetry.exeEdgeBrowser.exeEdgeExplorer.exeEpicGames Service.exeEdgeExplorer.exeNortonInstaller.exeEdgeExplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\WinExplorer.exe\""	WinExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe\""	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\Microsoft Compatibilitys Telemetry.exe\""	Microsoft Compatibilitys Telemetry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\EdgeBrowser.exe\""	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EdgeExplorer.exe\""	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EpicGames Service.exe\""	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EdgeExplorer.exe\""	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\NortonInstaller.exe\""	NortonInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EdgeExplorer.exe\""	EdgeExplorer.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

EdgeExplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	EdgeExplorer.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exeWD+UAC.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 15 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Firefoxinstaller.exeEpicGames Service.exeWinExplorer.exeEdgeBrowser.exeNortonInstaller.exeMicrosoft Compatibilitys Telemetry.exeEdgeExplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Compatibilitys Telemetry.exe = "0"	Microsoft Compatibilitys Telemetry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe = "0"	Microsoft Compatibilitys Telemetry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeExplorer.exe = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Microsoft Compatibility Telemetry.exe	family_xmrig
C:\Users\Admin\Documents\Microsoft Compatibility Telemetry.exe	xmrig
behavioral2/memory/7920-834-0x00000000004D0000-0x0000000000BFC000-memory.dmp	xmrig

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WindowsExplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WindowsExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe

Blocklisted process makes network request 1 IoCs

Processes:

EpicGames Service.exe

flow pid process

13 2372 EpicGames Service.exe

flow	pid	process
13	2372	EpicGames Service.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 39 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4192	powershell.exe
5320	powershell.exe
6436	powershell.exe
4856	powershell.exe
2380	powershell.exe
6536	powershell.exe
8120	powershell.exe
4216	powershell.exe
1684	powershell.exe
4948	powershell.exe
6316	powershell.exe
5668	powershell.exe
5028	powershell.exe
3652	powershell.exe
1272	powershell.exe
8128	powershell.exe
3660	powershell.exe
7960	powershell.exe
5204	powershell.exe
2044	powershell.exe
1660	powershell.exe
216	powershell.exe
6200	powershell.exe
1652	powershell.exe
7680	powershell.exe
1604	powershell.exe
2108	powershell.exe
4144	powershell.exe
2372	powershell.exe
4496	powershell.exe
2640	powershell.exe
4900	powershell.exe
5284	powershell.exe
4116	powershell.exe
4532	powershell.exe
5636	powershell.exe
5724	powershell.exe
2040	powershell.exe
8144	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

Microsoft Compatibility Telemetry.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Microsoft Compatibility Telemetry.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Microsoft Compatibility Telemetry.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EdgeExplorer.exeMicrosoft Compatibility Telemetry.exetmpCE7C.tmp.exeWinExplorer.exeMicrosoft Compatibilitys Telemetry.exeFirefoxinstaller.exeMicrosoft Compatibilitys Telemetry.exeEdgeExplorer.exeEdgeBrowser.exeEdgeExplorer.exeWindows Security.exetmpC563.tmp.exeEdgeExplorer.exeEpicGames Service.exeWindowsExplorer.exe3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exeNortonInstaller.exeWinExplorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	EdgeExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Compatibility Telemetry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	tmpCE7C.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WinExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Compatibilitys Telemetry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Firefoxinstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Microsoft Compatibilitys Telemetry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	EdgeExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	EdgeExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Windows Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	tmpC563.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	EdgeExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	EpicGames Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WindowsExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	NortonInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WinExplorer.exe

Drops startup file 15 IoCs

Processes:

WinExplorer.exeEdgeBrowser.exeMicrosoft Compatibility Telemetry.exeFirefoxinstaller.exeNortonInstaller.exeEdgeExplorer.exeMicrosoft Compatibilitys Telemetry.exeEpicGames Service.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe	WinExplorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.exe	Microsoft Compatibility Telemetry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe	EdgeExplorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe	WinExplorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Compatibilitys Telemetry.exe	Microsoft Compatibilitys Telemetry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe	EdgeExplorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe	EpicGames Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe	EpicGames Service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Compatibilitys Telemetry.exe	Microsoft Compatibilitys Telemetry.exe

Executes dropped EXE 37 IoCs

Processes:

tmpC563.tmp.exetmpCE7C.tmp.exeProtonVPN_win_v1.18.5.exeWD+UAC.exeEdgeExplorer.exeEpicGames Service.exeFirefoxinstaller.exeMicrosoft Compatibilitys Telemetry.exeNortonInstaller.exeWinExplorer.exeEdgeExplorer.exeEpicGames Service.exeFirefoxinstaller.exeFirefoxinstaller.exeWinExplorer.exeNortonInstaller.exeNortonInstaller.exeWindowsExplorer.exeEdgeBrowser.exeMicrosoft Compatibilitys Telemetry.exeMicrosoft Compatibilitys Telemetry.exeMicrosoft Compatibilitys Telemetry.exeMicrosoft Compatibility Telemetry.exeEdgeBrowser.exeEdgeExplorer.exeexplorer.exeEdgeExplorer.exeEdgeExplorer.exeEdgeExplorer.exeEdgeExplorer.exeWindows Security.exeMicrosoftCompabilityTelemetry.exeMicrosoftCompabilityTelemetry.exeMicrosoftCompabilityTelemetry.exeMicrosoftCompabilityTelemetry.exeMicrosoftCompabilityTelemetry.exeMicrosoftCompabilityTelemetry.exe

pid	process
3680	tmpC563.tmp.exe
1596	tmpCE7C.tmp.exe
536	ProtonVPN_win_v1.18.5.exe
324	WD+UAC.exe
1676	EdgeExplorer.exe
2372	EpicGames Service.exe
628	Firefoxinstaller.exe
2348	Microsoft Compatibilitys Telemetry.exe
2492	NortonInstaller.exe
1548	WinExplorer.exe
6404	EdgeExplorer.exe
6996	EpicGames Service.exe
7044	Firefoxinstaller.exe
5280	Firefoxinstaller.exe
7148	WinExplorer.exe
7388	NortonInstaller.exe
7412	NortonInstaller.exe
7760	WindowsExplorer.exe
8092	EdgeBrowser.exe
6916	Microsoft Compatibilitys Telemetry.exe
4316	Microsoft Compatibilitys Telemetry.exe
3580	Microsoft Compatibilitys Telemetry.exe
7920	Microsoft Compatibility Telemetry.exe
2952	EdgeBrowser.exe
8080	EdgeExplorer.exe
7060	explorer.exe
4492	EdgeExplorer.exe
6608	EdgeExplorer.exe
4948	EdgeExplorer.exe
5624	EdgeExplorer.exe
6856	Windows Security.exe
7756	MicrosoftCompabilityTelemetry.exe
6396	MicrosoftCompabilityTelemetry.exe
6760	MicrosoftCompabilityTelemetry.exe
8116	MicrosoftCompabilityTelemetry.exe
5952	MicrosoftCompabilityTelemetry.exe
7228	MicrosoftCompabilityTelemetry.exe

Loads dropped DLL 3 IoCs

Processes:

ProtonVPN_win_v1.18.5.exeMsiExec.exe

pid process

536 ProtonVPN_win_v1.18.5.exe
536 ProtonVPN_win_v1.18.5.exe
6260 MsiExec.exe

pid	process
536	ProtonVPN_win_v1.18.5.exe
536	ProtonVPN_win_v1.18.5.exe
6260	MsiExec.exe

Windows security modification 2 TTPs 23 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

EdgeExplorer.exeFirefoxinstaller.exeNortonInstaller.exeWinExplorer.exeEpicGames Service.exeMicrosoft Compatibilitys Telemetry.exeEdgeBrowser.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0"	WinExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	EdgeExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	EdgeExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe = "0"	Microsoft Compatibilitys Telemetry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeExplorer.exe = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	EdgeExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Compatibilitys Telemetry.exe = "0"	Microsoft Compatibilitys Telemetry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\EdgeBrowser.exe = "0"	EdgeBrowser.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Firefoxinstaller.exeWinExplorer.exeEdgeBrowser.exeexplorer.exeEdgeExplorer.exeEdgeExplorer.exeWindowsExplorer.exeEdgeExplorer.exeEpicGames Service.exeNortonInstaller.exeMicrosoft Compatibilitys Telemetry.exeFirefoxinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firefoxinstaller.exe = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\WinExplorer.exe"	WinExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeExplorer.exe = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeExplorer.exe = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeExplorer.exe = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EpicGames Service.exe"	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinExplorer.exe = "C:\\Users\\Admin\\Documents\\WinExplorer.exe"	WinExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\Microsoft Compatibilitys Telemetry.exe"	Microsoft Compatibilitys Telemetry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exeI nstaller\\Firefox.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EdgeExplorer.exe"	EdgeExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicGames Service.exe = "C:\\Users\\Admin\\Documents\\EpicGames Service.exe"	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NortonInstaller.exe = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Compatibilitys Telemetry.exe = "C:\\Users\\Admin\\Documents\\Microsoft Compatibilitys Telemetry.exe"	Microsoft Compatibilitys Telemetry.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WD+UAC.exeNortonInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WD+UAC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NortonInstaller.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ProtonVPN_win_v1.18.5.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\W:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\Y:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\K:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\M:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\Q:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\S:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\T:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\U:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\X:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\N:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\V:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\Z:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\J:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\L:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\R:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	ProtonVPN_win_v1.18.5.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
53	pastebin.com
16	pastebin.com
36	pastebin.com
13	pastebin.com
14	pastebin.com
17	pastebin.com
20	pastebin.com
52	pastebin.com
93	pastebin.com
10	pastebin.com
12	pastebin.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.ipify.org
44 api.ipify.org

flow	ioc
43	api.ipify.org
44	api.ipify.org

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

WindowsExplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	WindowsExplorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

reagentc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Recovery	reagentc.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	reagentc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

EdgeExplorer.exeEpicGames Service.exeFirefoxinstaller.exeWinExplorer.exeNortonInstaller.exe

pid	process
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
1676	EdgeExplorer.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
2372	EpicGames Service.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
628	Firefoxinstaller.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
1548	WinExplorer.exe
2492	NortonInstaller.exe
2492	NortonInstaller.exe
2492	NortonInstaller.exe
2492	NortonInstaller.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

EdgeExplorer.exeEpicGames Service.exeFirefoxinstaller.exeFirefoxinstaller.exeWinExplorer.exeNortonInstaller.exeMicrosoft Compatibilitys Telemetry.exeEdgeBrowser.exeEdgeExplorer.exeEdgeExplorer.exe

description	pid	process	target process
PID 1676 set thread context of 6404	1676	EdgeExplorer.exe	Conhost.exe
PID 2372 set thread context of 6996	2372	EpicGames Service.exe	EpicGames Service.exe
PID 628 set thread context of 7044	628	Firefoxinstaller.exe	Firefoxinstaller.exe
PID 7044 set thread context of 5280	7044	Firefoxinstaller.exe	Firefoxinstaller.exe
PID 1548 set thread context of 7148	1548	WinExplorer.exe	WinExplorer.exe
PID 2492 set thread context of 7412	2492	NortonInstaller.exe	NortonInstaller.exe
PID 2348 set thread context of 4316	2348	Microsoft Compatibilitys Telemetry.exe	Microsoft Compatibilitys Telemetry.exe
PID 8092 set thread context of 2952	8092	EdgeBrowser.exe	EdgeBrowser.exe
PID 8080 set thread context of 6608	8080	EdgeExplorer.exe	EdgeExplorer.exe
PID 4948 set thread context of 5624	4948	EdgeExplorer.exe	EdgeExplorer.exe

Drops file in Windows directory 6 IoCs

Processes:

reagentc.exeMicrosoft Compatibility Telemetry.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File created	C:\Windows\MicrosoftCompabilityTelemetry.exe	Microsoft Compatibility Telemetry.exe
File opened for modification	C:\Windows\MicrosoftCompabilityTelemetry.exe	Microsoft Compatibility Telemetry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2540	324	WerFault.exe	WD+UAC.exe
7064	1676	WerFault.exe	EdgeExplorer.exe
6892	2372	WerFault.exe	EpicGames Service.exe
6224	628	WerFault.exe	Firefoxinstaller.exe
7360	1548	WerFault.exe	WinExplorer.exe
7568	2492	WerFault.exe	NortonInstaller.exe
1832	2348	WerFault.exe	Microsoft Compatibilitys Telemetry.exe
3428	8092	WerFault.exe	EdgeBrowser.exe
1308	8080	WerFault.exe	EdgeExplorer.exe
5756	4948	WerFault.exe	EdgeExplorer.exe

Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

5720 timeout.exe
5940 timeout.exe
7080 timeout.exe
8032 timeout.exe
2916 timeout.exe
5728 timeout.exe
6584 timeout.exe
7256 timeout.exe
6008 timeout.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2388 reg.exe
7968 reg.exe

pid	process
5720	timeout.exe
5940	timeout.exe
7080	timeout.exe
8032	timeout.exe
2916	timeout.exe
5728	timeout.exe
6584	timeout.exe
7256	timeout.exe
6008	timeout.exe

pid	process
2388	reg.exe
7968	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ProtonVPN_win_v1.18.5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	ProtonVPN_win_v1.18.5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ProtonVPN_win_v1.18.5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ProtonVPN_win_v1.18.5.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4832 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5348 schtasks.exe
7560 schtasks.exe
8136 schtasks.exe
4760 schtasks.exe
2816 schtasks.exe
4836 schtasks.exe

pid	process
4832	PING.EXE

pid	process
5348	schtasks.exe
7560	schtasks.exe
8136	schtasks.exe
4760	schtasks.exe
2816	schtasks.exe
4836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmpCE7C.tmp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1596	tmpCE7C.tmp.exe
1596	tmpCE7C.tmp.exe
1596	tmpCE7C.tmp.exe
4192	powershell.exe
4192	powershell.exe
4216	powershell.exe
4216	powershell.exe
1272	powershell.exe
1272	powershell.exe
5028	powershell.exe
5028	powershell.exe
2640	powershell.exe
2640	powershell.exe
3652	powershell.exe
3652	powershell.exe
4116	powershell.exe
4116	powershell.exe
1604	powershell.exe
1604	powershell.exe
2380	powershell.exe
2380	powershell.exe
1660	powershell.exe
1660	powershell.exe
1684	powershell.exe
1684	powershell.exe
2044	powershell.exe
2044	powershell.exe
4948	powershell.exe
4948	powershell.exe
4192	powershell.exe
4192	powershell.exe
4532	powershell.exe
4532	powershell.exe
216	powershell.exe
216	powershell.exe
2108	powershell.exe
2108	powershell.exe
4900	powershell.exe
4900	powershell.exe
5320	powershell.exe
5320	powershell.exe
4216	powershell.exe
4216	powershell.exe
2640	powershell.exe
2640	powershell.exe
1272	powershell.exe
1272	powershell.exe
4116	powershell.exe
4116	powershell.exe
5028	powershell.exe
5028	powershell.exe
1604	powershell.exe
1604	powershell.exe
3652	powershell.exe
3652	powershell.exe
2380	powershell.exe
2380	powershell.exe
5636	powershell.exe
5636	powershell.exe
1684	powershell.exe
1684	powershell.exe
5284	powershell.exe
5284	powershell.exe
1660	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NortonInstaller.exe

pid process

7412 NortonInstaller.exe

pid	process
7412	NortonInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exetmpCE7C.tmp.exeEpicGames Service.exeEdgeExplorer.exeFirefoxinstaller.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWinExplorer.exeNortonInstaller.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMicrosoft Compatibilitys Telemetry.exemsiexec.exepowershell.exeProtonVPN_win_v1.18.5.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3184	3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe
Token: SeDebugPrivilege	1596	tmpCE7C.tmp.exe
Token: SeDebugPrivilege	2372	EpicGames Service.exe
Token: SeDebugPrivilege	1676	EdgeExplorer.exe
Token: SeDebugPrivilege	628	Firefoxinstaller.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1548	WinExplorer.exe
Token: SeDebugPrivilege	2492	NortonInstaller.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	5320	powershell.exe
Token: SeDebugPrivilege	5284	powershell.exe
Token: SeDebugPrivilege	5636	powershell.exe
Token: SeDebugPrivilege	2348	Microsoft Compatibilitys Telemetry.exe
Token: SeSecurityPrivilege	6460	msiexec.exe
Token: SeDebugPrivilege	6316	powershell.exe
Token: SeCreateTokenPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeAssignPrimaryTokenPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeLockMemoryPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeIncreaseQuotaPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeMachineAccountPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeTcbPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeSecurityPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeTakeOwnershipPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeLoadDriverPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeSystemProfilePrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeSystemtimePrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeProfSingleProcessPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeIncBasePriorityPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeCreatePagefilePrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeCreatePermanentPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeBackupPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeRestorePrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeShutdownPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeDebugPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeAuditPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeSystemEnvironmentPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeChangeNotifyPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeRemoteShutdownPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeUndockPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeSyncAgentPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeEnableDelegationPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeManageVolumePrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeImpersonatePrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeCreateGlobalPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeDebugPrivilege	6436	powershell.exe
Token: SeDebugPrivilege	6200	powershell.exe
Token: SeDebugPrivilege	6536	powershell.exe
Token: SeCreateTokenPrivilege	536	ProtonVPN_win_v1.18.5.exe
Token: SeAssignPrimaryTokenPrivilege	536	ProtonVPN_win_v1.18.5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ProtonVPN_win_v1.18.5.exe

pid process

536 ProtonVPN_win_v1.18.5.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Firefoxinstaller.exeexplorer.exe

pid process

5280 Firefoxinstaller.exe
5280 Firefoxinstaller.exe
7060 explorer.exe

pid	process
536	ProtonVPN_win_v1.18.5.exe

pid	process
5280	Firefoxinstaller.exe
5280	Firefoxinstaller.exe
7060	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exetmpC563.tmp.exetmpCE7C.tmp.exeEdgeExplorer.exeEpicGames Service.exeFirefoxinstaller.exe

description	pid	process	target process
PID 3184 wrote to memory of 3680	3184	3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe	tmpC563.tmp.exe
PID 3184 wrote to memory of 3680	3184	3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe	tmpC563.tmp.exe
PID 3184 wrote to memory of 3680	3184	3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe	tmpC563.tmp.exe
PID 3184 wrote to memory of 1596	3184	3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe	tmpCE7C.tmp.exe
PID 3184 wrote to memory of 1596	3184	3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe	tmpCE7C.tmp.exe
PID 3680 wrote to memory of 536	3680	tmpC563.tmp.exe	ProtonVPN_win_v1.18.5.exe
PID 3680 wrote to memory of 536	3680	tmpC563.tmp.exe	ProtonVPN_win_v1.18.5.exe
PID 3680 wrote to memory of 536	3680	tmpC563.tmp.exe	ProtonVPN_win_v1.18.5.exe
PID 1596 wrote to memory of 324	1596	tmpCE7C.tmp.exe	WD+UAC.exe
PID 1596 wrote to memory of 324	1596	tmpCE7C.tmp.exe	WD+UAC.exe
PID 1596 wrote to memory of 324	1596	tmpCE7C.tmp.exe	WD+UAC.exe
PID 1596 wrote to memory of 1676	1596	tmpCE7C.tmp.exe	EdgeExplorer.exe
PID 1596 wrote to memory of 1676	1596	tmpCE7C.tmp.exe	EdgeExplorer.exe
PID 1596 wrote to memory of 1676	1596	tmpCE7C.tmp.exe	EdgeExplorer.exe
PID 1596 wrote to memory of 2372	1596	tmpCE7C.tmp.exe	powershell.exe
PID 1596 wrote to memory of 2372	1596	tmpCE7C.tmp.exe	powershell.exe
PID 1596 wrote to memory of 2372	1596	tmpCE7C.tmp.exe	powershell.exe
PID 1596 wrote to memory of 628	1596	tmpCE7C.tmp.exe	Firefoxinstaller.exe
PID 1596 wrote to memory of 628	1596	tmpCE7C.tmp.exe	Firefoxinstaller.exe
PID 1596 wrote to memory of 628	1596	tmpCE7C.tmp.exe	Firefoxinstaller.exe
PID 1676 wrote to memory of 4192	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 4192	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 4192	1676	EdgeExplorer.exe	powershell.exe
PID 2372 wrote to memory of 4216	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 4216	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 4216	2372	EpicGames Service.exe	powershell.exe
PID 1596 wrote to memory of 2348	1596	tmpCE7C.tmp.exe	Microsoft Compatibilitys Telemetry.exe
PID 1596 wrote to memory of 2348	1596	tmpCE7C.tmp.exe	Microsoft Compatibilitys Telemetry.exe
PID 1596 wrote to memory of 2348	1596	tmpCE7C.tmp.exe	Microsoft Compatibilitys Telemetry.exe
PID 628 wrote to memory of 1272	628	Firefoxinstaller.exe	powershell.exe
PID 628 wrote to memory of 1272	628	Firefoxinstaller.exe	powershell.exe
PID 628 wrote to memory of 1272	628	Firefoxinstaller.exe	powershell.exe
PID 1676 wrote to memory of 5028	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 5028	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 5028	1676	EdgeExplorer.exe	powershell.exe
PID 2372 wrote to memory of 2640	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 2640	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 2640	2372	EpicGames Service.exe	powershell.exe
PID 1596 wrote to memory of 2492	1596	tmpCE7C.tmp.exe	NortonInstaller.exe
PID 1596 wrote to memory of 2492	1596	tmpCE7C.tmp.exe	NortonInstaller.exe
PID 1596 wrote to memory of 2492	1596	tmpCE7C.tmp.exe	NortonInstaller.exe
PID 628 wrote to memory of 4116	628	Firefoxinstaller.exe	powershell.exe
PID 628 wrote to memory of 4116	628	Firefoxinstaller.exe	powershell.exe
PID 628 wrote to memory of 4116	628	Firefoxinstaller.exe	powershell.exe
PID 2372 wrote to memory of 1660	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 1660	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 1660	2372	EpicGames Service.exe	powershell.exe
PID 1596 wrote to memory of 1548	1596	tmpCE7C.tmp.exe	WinExplorer.exe
PID 1596 wrote to memory of 1548	1596	tmpCE7C.tmp.exe	WinExplorer.exe
PID 1596 wrote to memory of 1548	1596	tmpCE7C.tmp.exe	WinExplorer.exe
PID 1676 wrote to memory of 2380	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 2380	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 2380	1676	EdgeExplorer.exe	powershell.exe
PID 628 wrote to memory of 1604	628	Firefoxinstaller.exe	powershell.exe
PID 628 wrote to memory of 1604	628	Firefoxinstaller.exe	powershell.exe
PID 628 wrote to memory of 1604	628	Firefoxinstaller.exe	powershell.exe
PID 2372 wrote to memory of 3652	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 3652	2372	EpicGames Service.exe	powershell.exe
PID 2372 wrote to memory of 3652	2372	EpicGames Service.exe	powershell.exe
PID 1676 wrote to memory of 1684	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 1684	1676	EdgeExplorer.exe	powershell.exe
PID 1676 wrote to memory of 1684	1676	EdgeExplorer.exe	powershell.exe
PID 628 wrote to memory of 2044	628	Firefoxinstaller.exe	powershell.exe
PID 628 wrote to memory of 2044	628	Firefoxinstaller.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

WD+UAC.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WD+UAC.exe
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

6244 attrib.exe
6320 attrib.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe

pid	process
6244	attrib.exe
6320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\tmpC563.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC563.tmp.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\ProtonVPN_win_v1.18.5.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonVPN_win_v1.18.5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:536

C:\Users\Admin\AppData\Local\Temp\tmpCE7C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCE7C.tmp.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\WD+UAC.exe
"C:\Users\Admin\AppData\Local\Temp\WD+UAC.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 904
4⤵
- Program crash
PID:2540

C:\Users\Admin\Documents\EdgeExplorer.exe
"C:\Users\Admin\Documents\EdgeExplorer.exe"
3⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:5212

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:5720

C:\Users\Admin\Documents\EdgeExplorer.exe
"C:\Users\Admin\Documents\EdgeExplorer.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:6404

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
5⤵
PID:5392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeExplorer.exe" /sc minute /mo 1
5⤵
- Scheduled Task/Job: Scheduled Task
PID:5348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6584

C:\Users\Admin\EdgeBrowser.exe
"C:\Users\Admin\EdgeBrowser.exe"
5⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:8092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:5724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:5668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
PID:7712

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:8032

C:\Users\Admin\EdgeBrowser.exe
"C:\Users\Admin\EdgeBrowser.exe"
6⤵
- Executes dropped EXE
PID:2952

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
7⤵
PID:5748

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\EdgeBrowser.exe" /sc minute /mo 1
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 2208
6⤵
- Program crash
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 2132
4⤵
- Program crash
PID:7064

C:\Users\Admin\Documents\EpicGames Service.exe
"C:\Users\Admin\Documents\EpicGames Service.exe"
3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EpicGames Service.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:5236

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:5940

C:\Users\Admin\Documents\EpicGames Service.exe
"C:\Users\Admin\Documents\EpicGames Service.exe"
4⤵
- Executes dropped EXE
PID:6996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2184
4⤵
- Program crash
PID:6892

C:\Users\Admin\Documents\Firefoxinstaller.exe
"C:\Users\Admin\Documents\Firefoxinstaller.exe"
3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Firefoxinstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:5276

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:5728

C:\Users\Admin\Documents\Firefoxinstaller.exe
"C:\Users\Admin\Documents\Firefoxinstaller.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:7044

C:\Users\Admin\Documents\Firefoxinstaller.exe
"C:\Users\Admin\Documents\Firefoxinstaller.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 2152
4⤵
- Program crash
PID:6224

C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe
"C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe"
3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Compatibilitys Telemetry.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Compatibilitys Telemetry.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Compatibilitys Telemetry.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:6812

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:7256

C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe
"C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe"
4⤵
- Executes dropped EXE
PID:6916

C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe
"C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe"
4⤵
- Executes dropped EXE
PID:3580

C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe
"C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4316

C:\Users\Admin\Documents\Microsoft Compatibility Telemetry.exe
"C:\Users\Admin\Documents\Microsoft Compatibility Telemetry.exe"
5⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
PID:7920

C:\Windows\SysWOW64\reagentc.exe
reagentc.exe /disable
6⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:7960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
6⤵
- Command and Scripting Interpreter: PowerShell
PID:8120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension exe
6⤵
- Command and Scripting Interpreter: PowerShell
PID:8128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:6404

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /SC ONLOGON /RU "NT Authority\System" /TR C:\Windows\MicrosoftCompabilityTelemetry.exe /TN MicrosoftCT
6⤵
- Scheduled Task/Job: Scheduled Task
PID:8136

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:6856

C:\Windows\MicrosoftCompabilityTelemetry.exe
"C:\Windows\MicrosoftCompabilityTelemetry.exe"
7⤵
- Executes dropped EXE
PID:7756

C:\Windows\MicrosoftCompabilityTelemetry.exe
"C:\Windows\MicrosoftCompabilityTelemetry.exe"
7⤵
- Executes dropped EXE
PID:6396

C:\Windows\MicrosoftCompabilityTelemetry.exe
"C:\Windows\MicrosoftCompabilityTelemetry.exe"
7⤵
- Executes dropped EXE
PID:6760

C:\Windows\MicrosoftCompabilityTelemetry.exe
"C:\Windows\MicrosoftCompabilityTelemetry.exe"
7⤵
- Executes dropped EXE
PID:8116

C:\Windows\MicrosoftCompabilityTelemetry.exe
"C:\Windows\MicrosoftCompabilityTelemetry.exe"
7⤵
- Executes dropped EXE
PID:5952

C:\Windows\MicrosoftCompabilityTelemetry.exe
"C:\Windows\MicrosoftCompabilityTelemetry.exe"
7⤵
- Executes dropped EXE
PID:7228

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Roaming\xmrig.exe
6⤵
- Views/modifies file attributes
PID:6320

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Roaming\WinRing0x64.sys
6⤵
- Views/modifies file attributes
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 2232
4⤵
- Program crash
PID:1832

C:\Users\Admin\Documents\NortonInstaller.exe
"C:\Users\Admin\Documents\NortonInstaller.exe"
3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\NortonInstaller.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:4672

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:7080

C:\Users\Admin\Documents\NortonInstaller.exe
"C:\Users\Admin\Documents\NortonInstaller.exe"
4⤵
- Executes dropped EXE
PID:7388

C:\Users\Admin\Documents\NortonInstaller.exe
"C:\Users\Admin\Documents\NortonInstaller.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:7412

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAT Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4E4A.tmp"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:7560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 2252
4⤵
- Program crash
PID:7568

C:\Users\Admin\Documents\WinExplorer.exe
"C:\Users\Admin\Documents\WinExplorer.exe"
3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\WinExplorer.exe" -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
PID:6136

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:6584

C:\Users\Admin\Documents\WinExplorer.exe
"C:\Users\Admin\Documents\WinExplorer.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:7148

C:\Users\Admin\Documents\WindowsExplorer.exe
"C:\Users\Admin\Documents\WindowsExplorer.exe"
5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
PID:7760

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:7808

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- UAC bypass
- Modifies registry key
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
6⤵
PID:5536

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
7⤵
- Runs ping.exe
PID:4832

C:\explorer\explorer.exe
"C:\explorer\explorer.exe"
7⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetWindowsHookEx
PID:7060

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
8⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
9⤵
- UAC bypass
- Modifies registry key
PID:7968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2192
4⤵
- Program crash
PID:7360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 324 -ip 324
1⤵
PID:3100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:6460

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3854CECAA075DA0C8B252424F0995150 C
2⤵
- Loads dropped DLL
PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1676 -ip 1676
1⤵
PID:6696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2372 -ip 2372
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 628 -ip 628
1⤵
PID:6696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1548 -ip 1548
1⤵
PID:7200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2492 -ip 2492
1⤵
PID:7484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2348 -ip 2348
1⤵
PID:4552

C:\Users\Admin\Documents\EdgeExplorer.exe
C:\Users\Admin\Documents\EdgeExplorer.exe
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:8080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:8144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:2204

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2916

C:\Users\Admin\Documents\EdgeExplorer.exe
"C:\Users\Admin\Documents\EdgeExplorer.exe"
2⤵
- Executes dropped EXE
PID:4492

C:\Users\Admin\Documents\EdgeExplorer.exe
"C:\Users\Admin\Documents\EdgeExplorer.exe"
2⤵
- Executes dropped EXE
PID:6608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:6040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeExplorer.exe" /sc minute /mo 1
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 2144
2⤵
- Program crash
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 8092 -ip 8092
1⤵
PID:7524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 8080 -ip 8080
1⤵
PID:4576

C:\Users\Admin\Documents\EdgeExplorer.exe
C:\Users\Admin\Documents\EdgeExplorer.exe
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:7960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:7680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeExplorer.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:5696

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:6008

C:\Users\Admin\Documents\EdgeExplorer.exe
"C:\Users\Admin\Documents\EdgeExplorer.exe"
2⤵
- Executes dropped EXE
PID:5624

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:5284

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeExplorer.exe" /sc minute /mo 1
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1032
2⤵
- Program crash
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4948 -ip 4948
1⤵
PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Firefoxinstaller.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
764b98b91c93e712ba5926e03017e509

SHA1
0c4670aa346cd84f0216743c7d731ffda4cecb59

SHA256
4e9cc0a846f5d5ee4edb192e8f795e4b049a7fc9d3208eb3477c30c8808367d3

SHA512
00f5538a8a17b55d4b80646546f2b728686c649eed981ade06e732c10cd416793e8e4f32756921769a38be919523c16be4996581368f11d7d01c93e2e59c3f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4a805112e66d8833d719d701d95b307b

SHA1
c632d8ef209d1789bffb5950d66db0eef72c8e8e

SHA256
76146f5901628510184de9ad0c885cc97a1cb25c0c6a0fc553cd852fc0c419ee

SHA512
f6c76ba4071abbd14f8c4e08b48fe45c0a297db3c62444ebcde436dddaafcc08f569498ad4f1bb6237e3e09c09436d7a8285bf8f6a2a3eafd8e5bcd148cd58b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_536\dialog

Filesize
26KB

MD5
8a372c8339a8facc35088ce99a977d96

SHA1
bf83cad6c9ef75277ed308a6999a08491df106ef

SHA256
6a9f617ad2117b3756188ff46ae14e43981f0672904d68b9ba0b9c5ab3525ecf

SHA512
f23c3a0427b743061cfffc0310d97f7d62bf152e0acc3f13076f4c75ee653ef327ebb6a8f1b0553e7bddfe129b7261f061865b35791109a5ca08c4e00c73c1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2B82.tmp

Filesize
381KB

MD5
1784f93d75b7bb91d6d0f8b58dc4c8a5

SHA1
0687632aaea1b8e8f5ae3a571c38f8231b7ebd6b

SHA256
12e19e33cac72fc0bc613de6b971075596df231ec52c063711edff4672da530c

SHA512
00501e54c0d7e4ccba3c307567f9b68a590738ac8d07a685de3c334f468cbc52631c038b79a6868caf7bfa65386580462f530317f85512db8f545919105975a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProtonVPN_win_v1.18.5.exe

Filesize
15.3MB

MD5
262b6d09ac1b4c02b38abde0e272c833

SHA1
f99ee3f05216f764f536c2e8aeeb70d6a7f7dd72

SHA256
5a29fed9209c85b1417f4a0efdf10f2779a5b838f8eccdb28cf3555a64e1ba6f

SHA512
75ed8c44a429572cbff9e0afdb0924f80c03f0b249da857a935b30f89fbeb4f4e04faa7f2c89e37a1ff718df01e648c90716fe7f501a65f3215237a11c98cc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\WD+UAC.exe

Filesize
97KB

MD5
77796247470714fe3672f805d5ff6903

SHA1
1aca720af56f7120cbb923c5bd7ac877bcd834e6

SHA256
dfb39aae10f9924bf6658a9c16451968f8f677fde6d66f02269d3a9be106e0c5

SHA512
71118f3d837c10f813369203f0a58b9a0861b5981d47860d6f83227e56278f09d00ce8ae8c5c75fa442eeb79c3601eefcee50e91e4009d7902ea7c9be4bc49ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlhp1grr.vuc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
127B

MD5
80b32b79bf519fce07cdf7b8b7881067

SHA1
2fe368e8f5855ef5f08c46f389bf3b5482ace60b

SHA256
8ed98d8b82c482aaa79a8ea2f1aaea676c5641d69f2478ba7f241e990d5d99b1

SHA512
dc7b986bd5de842d8beb315dea77a424194701b6272cac884dd31cd04586879fa93f3d1f44ec9ca01625b31115b00a2b5fe5028baef7d9ab277881653cab116e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E4A.tmp

Filesize
1KB

MD5
8d64f65d497b498fe88d9f446628e0e6

SHA1
2c01f76965fa52f717649db191a016b04c296b97

SHA256
735f05df747c5fee00b019083ce51cc52bc338382228e43441f1700a8dc3385b

SHA512
e9f3df490abd42ca4321a771ee35a54819e37eea99256a398544d94c6ff30f7d021a23d87233e3112a2edb5d5fecef4835b688281e2b29d114af01a90cd6fbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC563.tmp.exe

Filesize
15.4MB

MD5
4328c8add156ae46095b9dca33124965

SHA1
5619d8300ae539380e6e8f9bd162c4b1e2a758a3

SHA256
c721819731018c283a7349f78b70490b226a7910d22d7ed3c6a9f290add5b38a

SHA512
bfefb038568b70adba5aff2daead04e2ca584f66ca4b24b3ec916c5973f322d4700f305d78715283ee851509d3b254719d61d33568f3cb63a0829f154fa39471

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE7C.tmp.exe

Filesize
5.8MB

MD5
fdd4d52bbb965c0bbf636127143f47e1

SHA1
9ec40fb93806d2eb78ce5521d049169949a7e542

SHA256
165e41f653679302af8c4cd10153a1910afa48f785291825bf0f53e79424fe41

SHA512
abfe680f13cf4ff8d5255fe2f3f8cef173df3be62f96a4387ae61445653018628c360d15b77473a27b4c0704e2f04cb079c0e105b7297830dd66282a5055c465

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FFAFEA09-E7DA-4710-A278-7F0506C96829}\6C96829\ProtonVPN_win_v1.18.5.msi

Filesize
10.0MB

MD5
a60dd28d024fcf9e8a6127ebc48607d3

SHA1
08c0f02a46a11b26def6a4904f4b23e3e5eab0a4

SHA256
88d69e7711dfea37fe593fdf1b98c7648eb96a85e44bf0aa42dc038f192107e3

SHA512
3d6dfd48bc3650022be30bca4148b15f081005be7bf32872ac35a7c642641b56b05f59429245fd5b7870024b7a5d830cbebbb80776078a08a99034724b4582d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FFAFEA09-E7DA-4710-A278-7F0506C96829}\decoder.dll

Filesize
182KB

MD5
98c6c9d8f62c556e0de37ed9b6b09f9c

SHA1
3cbd11ded91c511f2f0f752541fab831d03d4f13

SHA256
7b90f9f0879d1b1b8d1ea396a0ad2684971b2b1d2303eee8b54d8294246f9440

SHA512
0897841429087873ddf2a0b3283d1ca582333ecf60f376ce06220a33e778d513a589be52473ae11c7ae474039925b434c99cd286eb250225075777446687cc3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.exe

Filesize
125KB

MD5
93862586de9fb44aef2df179caecea3a

SHA1
e2e2335701f80b8e3c8b52d67e02ef93f27d319a

SHA256
6aa96397546d89da9465c6eb628daabd5c793b3d92e82057b480e502bcfc22f6

SHA512
149bb8300b6d7fcb7233d85aa47261f8e5aa11b90b3d9bf904a62f1472e20da486ab16522af2516ba8f25aab82c1b4d9d6e99adb2d6d38c6e2d0794c740021ed

Download Submit
C:\Users\Admin\Documents\EdgeExplorer.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\Users\Admin\Documents\EpicGames Service.exe

Filesize
1.1MB

MD5
b117965f227519eb5c8d6e86bc2dd2a4

SHA1
e1d80bd0958b69cc73eaf1ee26aa816f795aad63

SHA256
f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd

SHA512
728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\Microsoft Compatibility Telemetry.exe

Filesize
7.1MB

MD5
006dfcd7f4d12929d5074900bf00dc22

SHA1
d8010282f5afad78f03871a8040feebb18253284

SHA256
02aa35eaff80eeb6d4bb7a773fdeac11aa9224e6c45a7af66fa1457f2662e4f0

SHA512
0d6794eba62e63ba7d6f905fdfdeb1f50c418c70b3efed5be7eab853123da5ae5959a06682b369bbe29ceb1226504476096e2fe32edff9bf251747d151a59934

Download Submit
C:\Users\Admin\Documents\Microsoft Compatibilitys Telemetry.exe

Filesize
21.4MB

MD5
e784df27426bef5378a6bcfc425acca8

SHA1
7da2e99357435e829444bb4e213738503f4c4b43

SHA256
8fc8e3f97a795ba56b3795dfc34495b0ff22cea8392197a4f0e3c97d9ca00e7d

SHA512
5dfd0838dcf47642f1f958a95301aa2a1f382c921458b8e66987d0bc6e86ebca12f9ca0c8cab158f8c8cb66dc3c57422157eb3ff26e33c11274785f27e60fca0

Download Submit
C:\Users\Admin\Documents\NortonInstaller.exe

Filesize
2.1MB

MD5
d2fe1a2f73303d37c178250add341b97

SHA1
e341e8adaec629d299101bbf1b9a3ca2bfaf7417

SHA256
26742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456

SHA512
0c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81

Download Submit
C:\Users\Admin\Documents\WinExplorer.exe

Filesize
1.0MB

MD5
3830fb01bdf4b41e2e9551d422caf795

SHA1
d63a892fc41d2be82de8d02a04b906a8595dcac9

SHA256
6c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422

SHA512
5f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886

Download Submit
C:\Users\Admin\Documents\WindowsExplorer.exe

Filesize
92KB

MD5
01ccde20287004986c0f29ff0df2e3b1

SHA1
18f9831e3246a08f000b0f4d6f009f2294c7c652

SHA256
862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860

SHA512
785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee

Download Submit
memory/216-555-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/324-61-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/324-80-0x0000000009640000-0x0000000009BE4000-memory.dmp

Filesize
5.6MB

Download
memory/324-66-0x0000000006F80000-0x0000000006F86000-memory.dmp

Filesize
24KB

Download
memory/628-99-0x00000000007F0000-0x0000000000980000-memory.dmp

Filesize
1.6MB

Download
memory/628-120-0x0000000005330000-0x0000000005370000-memory.dmp

Filesize
256KB

Download
memory/1272-391-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/1548-155-0x0000000005970000-0x000000000599E000-memory.dmp

Filesize
184KB

Download
memory/1548-148-0x0000000000E80000-0x0000000000F8C000-memory.dmp

Filesize
1.0MB

Download
memory/1548-156-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

Filesize
40KB

Download
memory/1596-28-0x00007FFE85343000-0x00007FFE85345000-memory.dmp

Filesize
8KB

Download
memory/1596-151-0x00007FFE85340000-0x00007FFE85E01000-memory.dmp

Filesize
10.8MB

Download
memory/1596-29-0x00000000003E0000-0x00000000009BA000-memory.dmp

Filesize
5.9MB

Download
memory/1596-35-0x00007FFE85340000-0x00007FFE85E01000-memory.dmp

Filesize
10.8MB

Download
memory/1596-33-0x00007FFE85340000-0x00007FFE85E01000-memory.dmp

Filesize
10.8MB

Download
memory/1596-34-0x00007FFE85340000-0x00007FFE85E01000-memory.dmp

Filesize
10.8MB

Download
memory/1604-431-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/1660-480-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/1676-109-0x0000000004DF0000-0x0000000004E26000-memory.dmp

Filesize
216KB

Download
memory/1676-108-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/1676-72-0x00000000002A0000-0x00000000003E6000-memory.dmp

Filesize
1.3MB

Download
memory/1676-83-0x0000000004C10000-0x0000000004CAC000-memory.dmp

Filesize
624KB

Download
memory/1684-453-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/2044-492-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/2108-614-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/2348-336-0x000000000BE90000-0x000000000C19A000-memory.dmp

Filesize
3.0MB

Download
memory/2348-134-0x0000000000B90000-0x0000000002106000-memory.dmp

Filesize
21.5MB

Download
memory/2372-918-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/2372-113-0x00000000055B0000-0x00000000055E0000-memory.dmp

Filesize
192KB

Download
memory/2372-84-0x0000000000AB0000-0x0000000000BC4000-memory.dmp

Filesize
1.1MB

Download
memory/2380-463-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/2492-158-0x0000000006150000-0x00000000061A4000-memory.dmp

Filesize
336KB

Download
memory/2492-137-0x0000000000220000-0x0000000000444000-memory.dmp

Filesize
2.1MB

Download
memory/2640-401-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/3184-3-0x000000001CD50000-0x000000001CDF6000-memory.dmp

Filesize
664KB

Download
memory/3184-0-0x00007FFE87BB5000-0x00007FFE87BB6000-memory.dmp

Filesize
4KB

Download
memory/3184-2-0x00007FFE87900000-0x00007FFE882A1000-memory.dmp

Filesize
9.6MB

Download
memory/3184-1-0x00007FFE87900000-0x00007FFE882A1000-memory.dmp

Filesize
9.6MB

Download
memory/3184-30-0x00007FFE87900000-0x00007FFE882A1000-memory.dmp

Filesize
9.6MB

Download
memory/3652-442-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/3680-16-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/3680-31-0x0000000000BF0000-0x0000000001B4E000-memory.dmp

Filesize
15.4MB

Download
memory/4116-421-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/4192-379-0x0000000007C30000-0x00000000082AA000-memory.dmp

Filesize
6.5MB

Download
memory/4192-366-0x00000000068A0000-0x00000000068D2000-memory.dmp

Filesize
200KB

Download
memory/4192-452-0x0000000007890000-0x0000000007926000-memory.dmp

Filesize
600KB

Download
memory/4192-441-0x0000000007680000-0x000000000768A000-memory.dmp

Filesize
40KB

Download
memory/4192-145-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download
memory/4192-181-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download
memory/4192-287-0x0000000006830000-0x000000000687C000-memory.dmp

Filesize
304KB

Download
memory/4192-169-0x0000000005C70000-0x0000000005C92000-memory.dmp

Filesize
136KB

Download
memory/4192-378-0x00000000074D0000-0x0000000007573000-memory.dmp

Filesize
652KB

Download
memory/4192-479-0x0000000007810000-0x0000000007821000-memory.dmp

Filesize
68KB

Download
memory/4192-170-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/4192-286-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/4192-380-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/4192-149-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/4192-171-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/4192-377-0x0000000006800000-0x000000000681E000-memory.dmp

Filesize
120KB

Download
memory/4192-367-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/4216-381-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/4316-759-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4532-590-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/4856-946-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/4900-603-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/4948-540-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/5028-613-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/5028-637-0x0000000007750000-0x0000000007758000-memory.dmp

Filesize
32KB

Download
memory/5028-636-0x0000000007770000-0x000000000778A000-memory.dmp

Filesize
104KB

Download
memory/5028-625-0x0000000007670000-0x0000000007684000-memory.dmp

Filesize
80KB

Download
memory/5028-411-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/5280-624-0x0000000005B90000-0x0000000005BE6000-memory.dmp

Filesize
344KB

Download
memory/5280-600-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5284-641-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/5320-626-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/5636-651-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/6200-716-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/6316-691-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/6404-529-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/6436-740-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/6536-730-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/6856-1005-0x0000000000F70000-0x0000000000F98000-memory.dmp

Filesize
160KB

Download
memory/6996-554-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/7044-565-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/7044-589-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/7148-640-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/7412-663-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/7412-685-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/7412-689-0x00000000058B0000-0x00000000058CE000-memory.dmp

Filesize
120KB

Download
memory/7412-690-0x0000000006510000-0x000000000651A000-memory.dmp

Filesize
40KB

Download
memory/7920-834-0x00000000004D0000-0x0000000000BFC000-memory.dmp

Filesize
7.2MB

Download
memory/7920-896-0x0000000006C50000-0x0000000006C68000-memory.dmp

Filesize
96KB

Download
memory/7960-990-0x00000000060F0000-0x000000000613C000-memory.dmp

Filesize
304KB

Download