Overview

overview

10

Static

static

3

f1fa7d91c9...18.exe

windows7-x64

10

f1fa7d91c9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    f1fa7d91c9d5c31b8dcb25fa73a1fad3

  • SHA1

    a60fef98fb8dd848fbf57374fd2f70569950fd06

  • SHA256

    deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025

  • SHA512

    3cd56c54248b9363424bf447fd5c92bcfc6970d6ba6bf78e92abaf246c4631a8f77a7d69f9d3bd6af99d0ccbfa6490bff556d9973a10bca0ca090c40f1dc6703

  • SSDEEP

    24576:3LKvy63ol0CibUBc6S4RBv6JhDW+baR5n9dV83mNO+b5j5ZmDQG5+a:3Ll63C0h6dXvSdaR93V83eljG

Score
10/10
asyncratblacknetnanocorenjratbotclientdefaultdiscoveryevasionexecutionkeyloggerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Client

C2

dontreachme3.ddns.net:3604

Mutex

EdgeBrowser.exe

Attributes
  • reg_key

    EdgeBrowser.exe

  • splitter

    123

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

C2

https://furyx.de/panel

Mutex

BN[e5decf896675e5ecc7bbef8ebff8a786]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    50651597687556f33b7fc75d90350b99

  • startup

    false

  • usb_spread

    true

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

C2

dontreachme3.ddns.net:3603

dontreachme1.ddns.net:3603
Mutex

19a5c2b0-5593-40da-9945-6c6b53e85d75

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    dontreachme1.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-11-15T15:45:18.745530536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3603

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    19a5c2b0-5593-40da-9945-6c6b53e85d75

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    dontreachme3.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dontreachme3.ddns.net:3601

dontreachme1.ddns.net:3601
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    EpicGames.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

    trojanblacknet
  • BlackNET payload 1 IoCs
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 10 IoCs
  • Executes dropped EXE 26 IoCs
  • Loads dropped DLL 58 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 18 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 21 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 8 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\tmpA802.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA802.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Users\Admin\Documents\WD+UAC.exe
        "C:\Users\Admin\Documents\WD+UAC.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 620
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1928
      • C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe
        "C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1692
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1904
      • C:\Users\Admin\Documents\EasyAASM.exe
        "C:\Users\Admin\Documents\EasyAASM.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2156
        • C:\Windows\SysWOW64\reagentc.exe
          reagentc.exe /disable
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2220
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2828
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2872
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension exe
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
        • C:\Users\Admin\AppData\Roaming\realtekaudio.exe
          "C:\Users\Admin\AppData\Roaming\realtekaudio.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Windows security bypass
          • Drops startup file
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:536
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1812
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1204
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout 1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3064
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:1588
          • C:\Users\Admin\AppData\Roaming\realtekaudio.exe
            "C:\Users\Admin\AppData\Roaming\realtekaudio.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1776
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:612
        • C:\Users\Admin\AppData\Roaming\realtekaudio.exe
          C:\Users\Admin\AppData\Roaming\realtekaudio.exe
          4⤵
          • Modifies WinLogon for persistence
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2316
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1920
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2752
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout 1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2216
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2556
          • C:\Users\Admin\AppData\Roaming\realtekaudio.exe
            "C:\Users\Admin\AppData\Roaming\realtekaudio.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1636
      • C:\Users\Admin\Documents\Firefoxinstaller.exe
        "C:\Users\Admin\Documents\Firefoxinstaller.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Windows security bypass
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2684
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:848
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1960
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Firefoxinstaller.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2400
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 1
          4⤵
            PID:1800
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:3020
          • C:\Users\Admin\Documents\Firefoxinstaller.exe
            "C:\Users\Admin\Documents\Firefoxinstaller.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            PID:2948
            • C:\Users\Admin\Documents\Firefoxinstaller.exe
              "C:\Users\Admin\Documents\Firefoxinstaller.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2900
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 696
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:1608
        • C:\Users\Admin\Documents\NortonInstaller.exe
          "C:\Users\Admin\Documents\NortonInstaller.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Modifies Windows Defender Real-time Protection settings
          • Windows security bypass
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2112
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1132
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\NortonInstaller.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout 1
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2440
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              5⤵
              • Delays execution with timeout.exe
              PID:1620
          • C:\Users\Admin\Documents\NortonInstaller.exe
            "C:\Users\Admin\Documents\NortonInstaller.exe"
            4⤵
            • Executes dropped EXE
            PID:3064
          • C:\Users\Admin\Documents\NortonInstaller.exe
            "C:\Users\Admin\Documents\NortonInstaller.exe"
            4⤵
            • Executes dropped EXE
            PID:908
          • C:\Users\Admin\Documents\NortonInstaller.exe
            "C:\Users\Admin\Documents\NortonInstaller.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1648
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC504.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:548
        • C:\Users\Admin\Documents\WinExplorer.exe
          "C:\Users\Admin\Documents\WinExplorer.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Windows security bypass
          • Drops startup file
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:376
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1772
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1852
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\WinExplorer.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            PID:548
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout 1
            4⤵
              PID:2564
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                5⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:3056
            • C:\Users\Admin\Documents\WinExplorer.exe
              "C:\Users\Admin\Documents\WinExplorer.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2668
              • C:\Users\Admin\Documents\WindowsExplorer.exe
                "C:\Users\Admin\Documents\WindowsExplorer.exe"
                5⤵
                • Modifies WinLogon for persistence
                • Adds policy Run key to start application
                • Executes dropped EXE
                • Adds Run key to start application
                • Modifies WinLogon
                • System Location Discovery: System Language Discovery
                PID:1132
                • C:\Windows\SysWOW64\cmd.exe
                  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2688
                  • C:\Windows\SysWOW64\reg.exe
                    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                    7⤵
                    • UAC bypass
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:1748
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                  6⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:2104
                  • C:\Windows\SysWOW64\PING.EXE
                    PING 127.0.0.1 -n 2
                    7⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:1056
                  • C:\explorer\explorer.exe
                    "C:\explorer\explorer.exe"
                    7⤵
                    • Modifies WinLogon for persistence
                    • Adds policy Run key to start application
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Modifies WinLogon
                    • Suspicious use of SetWindowsHookEx
                    PID:1272
                    • C:\Windows\SysWOW64\cmd.exe
                      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2284
                      • C:\Windows\SysWOW64\reg.exe
                        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                        9⤵
                        • UAC bypass
                        • System Location Discovery: System Language Discovery
                        • Modifies registry key
                        PID:2732
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 692
              4⤵
              • Loads dropped DLL
              • Program crash
              PID:2776
          • C:\Users\Admin\Documents\EdgeBrowser.exe
            "C:\Users\Admin\Documents\EdgeBrowser.exe"
            3⤵
            • Modifies WinLogon for persistence
            • Windows security bypass
            • Drops startup file
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:396
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1156
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1480
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1144
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeBrowser.exe" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2264
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout 1
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2468
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                5⤵
                • Delays execution with timeout.exe
                PID:1080
            • C:\Users\Admin\Documents\EdgeBrowser.exe
              "C:\Users\Admin\Documents\EdgeBrowser.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:556
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Delete /tn NYAN /F
                5⤵
                  PID:2256
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeBrowser.exe" /sc minute /mo 1
                  5⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2480
                • C:\Users\Admin\EdgeBrowser.exe
                  "C:\Users\Admin\EdgeBrowser.exe"
                  5⤵
                  • Modifies WinLogon for persistence
                  • Windows security bypass
                  • Executes dropped EXE
                  • Windows security modification
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1644
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1592
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2448
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2392
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2408
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c timeout 1
                    6⤵
                    • System Location Discovery: System Language Discovery
                    PID:2564
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 1
                      7⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:1640
                  • C:\Users\Admin\EdgeBrowser.exe
                    "C:\Users\Admin\EdgeBrowser.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2176
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Delete /tn NYAN /F
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:1636
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn NYAN /tr "C:\Users\Admin\EdgeBrowser.exe" /sc minute /mo 1
                      7⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1512
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 772
                    6⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:1156
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 696
                4⤵
                • Loads dropped DLL
                • Program crash
                PID:2772
          • C:\Users\Admin\AppData\Local\Temp\tmpA9A8.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmpA9A8.tmp.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2084
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "671490364766127421996658859-20010134781108076657-1574097685-1507931068323077266"
          1⤵
            PID:1080
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "318228905-319739204-837794658-2089991296-1088891503-200382978-15504890511985903123"
            1⤵
              PID:2732
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {59B54FD9-7817-4F47-A371-59EE67808F7F} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
              1⤵
                PID:2240
                • C:\Users\Admin\Documents\EdgeBrowser.exe
                  C:\Users\Admin\Documents\EdgeBrowser.exe
                  2⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1724
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2680
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1864
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2956
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeBrowser.exe" -Force
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2520
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c timeout 1
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2768
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 1
                      4⤵
                      • Delays execution with timeout.exe
                      PID:2816
                  • C:\Users\Admin\Documents\EdgeBrowser.exe
                    "C:\Users\Admin\Documents\EdgeBrowser.exe"
                    3⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:1912
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Delete /tn NYAN /F
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:1624
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeBrowser.exe" /sc minute /mo 1
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1544
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 932
                    3⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:1552

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Boot or Logon Autostart Execution

              4
              T1547

              Registry Run Keys / Startup Folder

              2
              T1547.001

              Winlogon Helper DLL

              2
              T1547.004

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Boot or Logon Autostart Execution

              4
              T1547

              Registry Run Keys / Startup Folder

              2
              T1547.001

              Winlogon Helper DLL

              2
              T1547.004

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Impair Defenses

              4
              T1562

              Disable or Modify Tools

              4
              T1562.001

              Modify Registry

              11
              T1112

              Subvert Trust Controls

              1
              T1553

              Install Root Certificate

              1
              T1553.004

              Credential Access

              Discovery

              Remote System Discovery

              1
              T1018

              System Information Discovery

              2
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              System Network Configuration Discovery

              1
              T1016

              Internet Connection Discovery

              1
              T1016.001

              Lateral Movement

              Collection

              Command and Control

              Web Service

              1
              T1102

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\install.bat
                Filesize

                127B

                MD5

                80b32b79bf519fce07cdf7b8b7881067

                SHA1

                2fe368e8f5855ef5f08c46f389bf3b5482ace60b

                SHA256

                8ed98d8b82c482aaa79a8ea2f1aaea676c5641d69f2478ba7f241e990d5d99b1

                SHA512

                dc7b986bd5de842d8beb315dea77a424194701b6272cac884dd31cd04586879fa93f3d1f44ec9ca01625b31115b00a2b5fe5028baef7d9ab277881653cab116e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmpA802.tmp.exe
                Filesize

                1.3MB

                MD5

                11ee7471fc15a11b25135052aa282602

                SHA1

                bacf067665074dddd07b74c0ff44e27d549e6866

                SHA256

                7c85333ea420f466a6d3113f5ded4c3cadc8ba4d9ae92fe2f53d475543c8c87b

                SHA512

                391087e5eefd09f8013824ffdb7b2d5c27c41e259b56e19dbde061862276125dd6998468b71007503edad28e9d7cb5e88b15b9977a666a00194c3a6063e152d7

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmpA9A8.tmp.exe
                Filesize

                479KB

                MD5

                ba9409e272ccd7bb5a43e9d28f1b7440

                SHA1

                2dd25abd0c6e55e05f596671c839ed035e00e61d

                SHA256

                73b7fea4754e8be18812adc0ddd7b3c3c8c3797a889cc801cc94c7195027aa11

                SHA512

                89a1e4e77465c965cfe9c1ab2983d601506469cafbebc327daeee52fefd319a4f988af375e932060a3debab5fea7ad7830ec8b0453daa08f7320358c54472bc9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                Filesize

                7KB

                MD5

                a81b33ec9ee622035ec43138141eebca

                SHA1

                ac960dffb8f3bef359fa4a463c686e0c0d153b25

                SHA256

                a248ddb361204ed18808c2493c7cf9e40b5e98915b166c3b5d83ba878b63d6d6

                SHA512

                5cd42ad23e5e4d37cabd50c38ee18856edc9cf313a36cbc30f5b0dbe033361d744400bb713b3e561eacd5a98a772537287531229edd8909a302ed0bf15c08d76

                Download Submit

              • C:\Users\Admin\AppData\Roaming\realtekaudio.exe
                Filesize

                1.1MB

                MD5

                b117965f227519eb5c8d6e86bc2dd2a4

                SHA1

                e1d80bd0958b69cc73eaf1ee26aa816f795aad63

                SHA256

                f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd

                SHA512

                728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f

                Download Submit

              • C:\Users\Admin\Documents\EasyAASM.exe
                Filesize

                315KB

                MD5

                4807d6b3bc3740ed58861f208470d076

                SHA1

                5efe5de43d28aeaa24c7065ce7113fd0c96f2539

                SHA256

                133a86c10b14d53d0807901d3cd477b0e1f62b9351707fe82ded7fe19c1f7689

                SHA512

                e1494471bc8bf182b694907714043cc39d7e4003ccfd56d1fc41c3d15071bf2cc4347858afacff174849be30b32aab828f91d13f3dd58629e0f560918bca6475

                Download Submit

              • C:\Users\Admin\Documents\EdgeBrowser.exe
                Filesize

                1.3MB

                MD5

                824438344c636fdd81ff2e0d02577912

                SHA1

                ae288a2cc5bd0cce01615d8d568031c3e84902e2

                SHA256

                eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

                SHA512

                09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

                Download Submit

              • C:\Users\Admin\Documents\Firefoxinstaller.exe
                Filesize

                1.5MB

                MD5

                70d3bb5c6ca4166d190ad265b14f117e

                SHA1

                95497e892ee875ef226edf3db059121c2c5284ed

                SHA256

                7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

                SHA512

                0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

                Download Submit

              • C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe
                Filesize

                29KB

                MD5

                cc4dacf8520e38549ad23aaeedf67027

                SHA1

                2583bf30caee94ea804201c65d55d6e4df7f643f

                SHA256

                671d6806eb42b720d6fd9aa0e19c14918bb79204db90b5db1fbdf67ee87c253f

                SHA512

                4e8ad8b28d596c9844d5255e9f25f3e9999433e8804e1eb2af2bf3a1aba2742c1a4df500b460c5837f596f41f0d3f05686c5d817de6b294edbae1a652c63725a

                Download Submit

              • C:\Users\Admin\Documents\NortonInstaller.exe
                Filesize

                2.1MB

                MD5

                d2fe1a2f73303d37c178250add341b97

                SHA1

                e341e8adaec629d299101bbf1b9a3ca2bfaf7417

                SHA256

                26742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456

                SHA512

                0c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81

                Download Submit

              • C:\Users\Admin\Documents\WD+UAC.exe
                Filesize

                97KB

                MD5

                a77ff55010a30b7bda46c35f74c160ea

                SHA1

                2be0031a06e02ce9a16ffd59747e793314759167

                SHA256

                7a2b062cfbd490970999dff5b19a25b0600d6ada1cf1271066dcf335d74dee30

                SHA512

                fdd0e51697aa2bcea5ae6939493cc5360794f96429e08d194ac1b72b689221da047bae8be0f698654b42e23f5381b102b0854e1cece20557df93db1c596eed02

                Download Submit

              • C:\Users\Admin\Documents\WinExplorer.exe
                Filesize

                1.0MB

                MD5

                3830fb01bdf4b41e2e9551d422caf795

                SHA1

                d63a892fc41d2be82de8d02a04b906a8595dcac9

                SHA256

                6c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422

                SHA512

                5f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886

                Download Submit

              • C:\Users\Admin\Documents\WindowsExplorer.exe
                Filesize

                92KB

                MD5

                01ccde20287004986c0f29ff0df2e3b1

                SHA1

                18f9831e3246a08f000b0f4d6f009f2294c7c652

                SHA256

                862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860

                SHA512

                785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee

                Download Submit

              • memory/396-83-0x0000000000190000-0x00000000002D6000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/396-84-0x0000000000710000-0x0000000000746000-memory.dmp

                Filesize

                216KB

                Download

              • memory/556-203-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/556-201-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/556-220-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/556-219-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/556-195-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/556-204-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/556-199-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/556-197-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/1644-478-0x0000000000250000-0x0000000000286000-memory.dmp

                Filesize

                216KB

                Download

              • memory/1644-477-0x0000000000280000-0x00000000003C6000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1648-236-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1648-237-0x0000000000400000-0x000000000043A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/1648-349-0x00000000004A0000-0x00000000004AA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1648-239-0x0000000000400000-0x000000000043A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/1648-240-0x0000000000400000-0x000000000043A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/1648-234-0x0000000000400000-0x000000000043A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/1648-347-0x00000000003A0000-0x00000000003AA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1648-348-0x0000000000480000-0x000000000049E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1648-228-0x0000000000400000-0x000000000043A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/1648-230-0x0000000000400000-0x000000000043A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/1648-232-0x0000000000400000-0x000000000043A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/2084-13-0x0000000000400000-0x00000000004AC000-memory.dmp

                Filesize

                688KB

                Download

              • memory/2084-395-0x0000000000400000-0x00000000004AC000-memory.dmp

                Filesize

                688KB

                Download

              • memory/2092-44-0x0000000000FF0000-0x0000000001012000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2092-52-0x00000000001F0000-0x00000000001F6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2156-42-0x0000000001160000-0x00000000011B6000-memory.dmp

                Filesize

                344KB

                Download

              • memory/2156-129-0x0000000004AB0000-0x0000000004BC4000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2188-65-0x0000000000E40000-0x0000000001064000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/2188-241-0x00000000003F0000-0x0000000000430000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2188-85-0x0000000000590000-0x00000000005E4000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2228-90-0x0000000000250000-0x000000000027E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/2228-77-0x0000000001180000-0x000000000128C000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2316-16-0x00000000013B0000-0x00000000014F8000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2428-408-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2504-1-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2504-0-0x000007FEF569E000-0x000007FEF569F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2504-15-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2504-2-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2660-359-0x0000000000D90000-0x0000000000EA4000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2660-360-0x0000000000A20000-0x0000000000A50000-memory.dmp

                Filesize

                192KB

                Download

              • memory/2668-303-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2668-294-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2668-296-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2668-298-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2668-300-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2668-302-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2668-306-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2668-304-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2684-59-0x0000000000D90000-0x0000000000F20000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2684-88-0x0000000000800000-0x0000000000840000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2756-43-0x0000000000A70000-0x0000000000A7E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2900-323-0x0000000000400000-0x000000000041E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/2948-218-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2948-206-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2948-208-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2948-210-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2948-212-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2948-214-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2948-215-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2948-217-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2948-308-0x0000000000430000-0x000000000043A000-memory.dmp

                Filesize

                40KB

                Download