asyncrat | deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe
Size

1.8MB
MD5

f1fa7d91c9d5c31b8dcb25fa73a1fad3
SHA1

a60fef98fb8dd848fbf57374fd2f70569950fd06
SHA256

deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025
SHA512

3cd56c54248b9363424bf447fd5c92bcfc6970d6ba6bf78e92abaf246c4631a8f77a7d69f9d3bd6af99d0ccbfa6490bff556d9973a10bca0ca090c40f1dc6703
SSDEEP

24576:3LKvy63ol0CibUBc6S4RBv6JhDW+baR5n9dV83mNO+b5j5ZmDQG5+a:3Ll63C0h6dXvSdaR93V83eljG

Score

10^/10

asyncrat blacknet nanocore njrat bot client default discovery evasion execution keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

https://furyx.de/panel

Mutex

BN[e5decf896675e5ecc7bbef8ebff8a786]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
50651597687556f33b7fc75d90350b99
startup
false
usb_spread
true

aes.plain

Extracted

Family

njrat

Version

0.7.3

Botnet

Client

dontreachme3.ddns.net:3604

Mutex

EdgeBrowser.exe

Attributes

reg_key
EdgeBrowser.exe
splitter
123

Extracted

Family

nanocore

Version

1.2.2.0

dontreachme3.ddns.net:3603

dontreachme1.ddns.net:3603

Mutex

19a5c2b0-5593-40da-9945-6c6b53e85d75

Attributes

activate_away_mode
false
backup_connection_host
dontreachme1.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-15T15:45:18.745530536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
3603
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
19a5c2b0-5593-40da-9945-6c6b53e85d75
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dontreachme3.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

dontreachme3.ddns.net:3601

dontreachme1.ddns.net:3601

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
EpicGames.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6672-440-0x0000000000400000-0x000000000041E000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/6672-440-0x0000000000400000-0x000000000041E000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

NortonInstaller.exeexplorer.exeEdgeBrowser.exerealtekaudio.exeEdgeBrowser.exeWinExplorer.exeWindowsExplorer.exeFirefoxinstaller.exeEdgeBrowser.exerealtekaudio.exeEdgeBrowser.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\NortonInstaller.exe\""	NortonInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\EdgeBrowser.exe\""	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe\""	realtekaudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\EdgeBrowser.exe\""	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\WinExplorer.exe\""	WinExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe\""	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EdgeBrowser.exe\""	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe\""	realtekaudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\EdgeBrowser.exe\""	EdgeBrowser.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Firefoxinstaller.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Firefoxinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Firefoxinstaller.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

WD+UAC.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

WinExplorer.exeNortonInstaller.exeEdgeBrowser.exeFirefoxinstaller.exeEdgeBrowser.exerealtekaudio.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe = "0"	realtekaudio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\realtekaudio.exe = "0"	realtekaudio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeBrowser.exe = "0"	EdgeBrowser.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WindowsExplorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WindowsExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 39 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4972	powershell.exe
636	powershell.exe
5012	powershell.exe
5172	powershell.exe
6212	powershell.exe
3916	powershell.exe
3172	powershell.exe
2504	powershell.exe
1864	powershell.exe
2040	powershell.exe
4848	powershell.exe
6960	powershell.exe
2744	powershell.exe
1968	powershell.exe
3464	powershell.exe
3560	powershell.exe
4516	powershell.exe
7040	powershell.exe
6644	powershell.exe
4936	powershell.exe
212	powershell.exe
4140	powershell.exe
4344	powershell.exe
2268	powershell.exe
1212	powershell.exe
412	powershell.exe
5480	powershell.exe
6840	powershell.exe
5800	powershell.exe
1620	powershell.exe
4176	powershell.exe
4352	powershell.exe
4204	powershell.exe
4288	powershell.exe
936	powershell.exe
220	powershell.exe
6040	powershell.exe
2824	powershell.exe
6436	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

EasyAASM.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	EasyAASM.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmpF666.tmp.exeWinExplorer.exeWinExplorer.exeEdgeBrowser.exeEdgeBrowser.exeFirefoxinstaller.exeNortonInstaller.exeEasyAASM.exeWindowsExplorer.exeEdgeBrowser.exef1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exeEdgeBrowser.exerealtekaudio.exerealtekaudio.exeFirefoxinstaller.exeEdgeBrowser.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	tmpF666.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WinExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WinExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Firefoxinstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	NortonInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	EasyAASM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WindowsExplorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	realtekaudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	realtekaudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Firefoxinstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	EdgeBrowser.exe

Drops startup file 10 IoCs

Processes:

NortonInstaller.exerealtekaudio.exeFirefoxinstaller.exeWinExplorer.exeEdgeBrowser.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe	realtekaudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe	WinExplorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe	WinExplorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe	realtekaudio.exe

Executes dropped EXE 28 IoCs

Processes:

tmpF666.tmp.exetmpF974.tmp.exeWD+UAC.exeMicrosoftCompatibility Download.exeEasyAASM.exeFirefoxinstaller.exeNortonInstaller.exeWinExplorer.exeEdgeBrowser.exerealtekaudio.exerealtekaudio.exeFirefoxinstaller.exeFirefoxinstaller.exeWinExplorer.exeEdgeBrowser.exeNortonInstaller.exeNortonInstaller.exeNortonInstaller.exeWindowsExplorer.exerealtekaudio.exerealtekaudio.exeEdgeBrowser.exeexplorer.exeEdgeBrowser.exeEdgeBrowser.exeEdgeBrowser.exeEdgeBrowser.exeEdgeBrowser.exe

pid	Process
3548	tmpF666.tmp.exe
3352	tmpF974.tmp.exe
8	WD+UAC.exe
668	MicrosoftCompatibility Download.exe
4776	EasyAASM.exe
3612	Firefoxinstaller.exe
2752	NortonInstaller.exe
4544	WinExplorer.exe
1008	EdgeBrowser.exe
5356	realtekaudio.exe
5376	realtekaudio.exe
6392	Firefoxinstaller.exe
6672	Firefoxinstaller.exe
5348	WinExplorer.exe
7000	EdgeBrowser.exe
6724	NortonInstaller.exe
1856	NortonInstaller.exe
1960	NortonInstaller.exe
6916	WindowsExplorer.exe
5744	realtekaudio.exe
5400	realtekaudio.exe
5236	EdgeBrowser.exe
960	explorer.exe
2796	EdgeBrowser.exe
732	EdgeBrowser.exe
5168	EdgeBrowser.exe
3692	EdgeBrowser.exe
4192	EdgeBrowser.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023482-19.dat	upx
behavioral2/memory/3352-33-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-316-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-442-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-703-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-846-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-849-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-850-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-851-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-894-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-895-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-896-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-897-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-898-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-899-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/3352-941-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

Windows security modification 2 TTPs 20 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

EdgeBrowser.exeFirefoxinstaller.exeNortonInstaller.exeWinExplorer.exeEdgeBrowser.exerealtekaudio.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Firefoxinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0"	WinExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Firefoxinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe = "0"	realtekaudio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\realtekaudio.exe = "0"	realtekaudio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NortonInstaller.exeEdgeBrowser.exerealtekaudio.exeexplorer.exeEdgeBrowser.exeEdgeBrowser.exeFirefoxinstaller.exeFirefoxinstaller.exeEdgeBrowser.exeWinExplorer.exerealtekaudio.exeWindowsExplorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe"	realtekaudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\Documents\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exeI nstaller\\Firefox.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\WinExplorer.exe"	WinExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe"	realtekaudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtekaudio.exe = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe"	realtekaudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NortonInstaller.exe = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinExplorer.exe = "C:\\Users\\Admin\\Documents\\WinExplorer.exe"	WinExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtekaudio.exe = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe"	realtekaudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\""	WindowsExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firefoxinstaller.exe = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

NortonInstaller.exeWD+UAC.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NortonInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WD+UAC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
26	pastebin.com
48	pastebin.com
103	pastebin.com
16	pastebin.com
17	pastebin.com
23	pastebin.com
24	pastebin.com
25	pastebin.com
27	pastebin.com
74	pastebin.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

WindowsExplorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	WindowsExplorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	explorer.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/3352-33-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-316-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-442-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-703-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-846-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-849-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-850-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-851-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-894-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-895-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-896-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-897-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-898-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-899-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/3352-941-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

reagentc.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Recovery	reagentc.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	reagentc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

Firefoxinstaller.exeWinExplorer.exeEdgeBrowser.exeNortonInstaller.exerealtekaudio.exe

pid	Process
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
3612	Firefoxinstaller.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
4544	WinExplorer.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
1008	EdgeBrowser.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
2752	NortonInstaller.exe
5356	realtekaudio.exe
5356	realtekaudio.exe
5356	realtekaudio.exe
5356	realtekaudio.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

Firefoxinstaller.exeFirefoxinstaller.exeWinExplorer.exeEdgeBrowser.exeNortonInstaller.exerealtekaudio.exerealtekaudio.exeEdgeBrowser.exeEdgeBrowser.exeEdgeBrowser.exe

description	pid	Process	procid_target
PID 3612 set thread context of 6392	3612	Firefoxinstaller.exe	163
PID 6392 set thread context of 6672	6392	Firefoxinstaller.exe	167
PID 4544 set thread context of 5348	4544	WinExplorer.exe	169
PID 1008 set thread context of 7000	1008	EdgeBrowser.exe	172
PID 2752 set thread context of 1960	2752	NortonInstaller.exe	178
PID 5356 set thread context of 5744	5356	realtekaudio.exe	199
PID 5376 set thread context of 5400	5376	realtekaudio.exe	201
PID 5236 set thread context of 2796	5236	EdgeBrowser.exe	229
PID 732 set thread context of 5168	732	EdgeBrowser.exe	253
PID 3692 set thread context of 4192	3692	EdgeBrowser.exe	272

Drops file in Windows directory 4 IoCs

Processes:

reagentc.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1092	8	WerFault.exe	83
1520	668	WerFault.exe	84
6744	3612	WerFault.exe	86
5584	1008	WerFault.exe	89
6324	2752	WerFault.exe	87
6888	5356	WerFault.exe	145
4748	5376	WerFault.exe	146
512	5236	WerFault.exe	212
2168	732	WerFault.exe	241
4512	3692	WerFault.exe	260

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeNortonInstaller.exetimeout.exetimeout.exeschtasks.exepowershell.exepowershell.execmd.execmd.exepowershell.execmd.exepowershell.exepowershell.execmd.execmd.exeMicrosoftCompatibility Download.exepowershell.exetimeout.exepowershell.exeEdgeBrowser.exeschtasks.exeEdgeBrowser.exeWinExplorer.exepowershell.exetimeout.exeEasyAASM.execmd.exereg.exerealtekaudio.exetimeout.exeEdgeBrowser.exeEdgeBrowser.exepowershell.exeschtasks.exepowershell.exeschtasks.exepowershell.exeNortonInstaller.exepowershell.exetimeout.exeEdgeBrowser.exeschtasks.exeEdgeBrowser.exePING.EXEpowershell.exepowershell.exepowershell.exetmpF974.tmp.exeWindowsExplorer.exeschtasks.exepowershell.exepowershell.exepowershell.exeschtasks.exereagentc.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exetimeout.exeFirefoxinstaller.exepowershell.exeEdgeBrowser.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NortonInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftCompatibility Download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasyAASM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	realtekaudio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NortonInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeBrowser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF974.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reagentc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefoxinstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeBrowser.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEcmd.exePING.EXE

pid	Process
5612	PING.EXE
6992	cmd.exe
7080	PING.EXE

Delays execution with timeout.exe 9 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
6012	timeout.exe
5348	timeout.exe
7160	timeout.exe
6584	timeout.exe
2540	timeout.exe
5472	timeout.exe
6572	timeout.exe
4932	timeout.exe
808	timeout.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
2880	reg.exe
3880	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
5612	PING.EXE
7080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
6716	schtasks.exe
2628	schtasks.exe
3340	schtasks.exe
3740	schtasks.exe
760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmpF666.tmp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3548	tmpF666.tmp.exe
3548	tmpF666.tmp.exe
3548	tmpF666.tmp.exe
4972	powershell.exe
4972	powershell.exe
220	powershell.exe
220	powershell.exe
1968	powershell.exe
1968	powershell.exe
4176	powershell.exe
4176	powershell.exe
2744	powershell.exe
2744	powershell.exe
4204	powershell.exe
4204	powershell.exe
4288	powershell.exe
4288	powershell.exe
636	powershell.exe
636	powershell.exe
3464	powershell.exe
3464	powershell.exe
3172	powershell.exe
3172	powershell.exe
5012	powershell.exe
5012	powershell.exe
3560	powershell.exe
3560	powershell.exe
2268	powershell.exe
2268	powershell.exe
1212	powershell.exe
1212	powershell.exe
4516	powershell.exe
4516	powershell.exe
1864	powershell.exe
1864	powershell.exe
4344	powershell.exe
4344	powershell.exe
2504	powershell.exe
2504	powershell.exe
412	powershell.exe
412	powershell.exe
4972	powershell.exe
4972	powershell.exe
4176	powershell.exe
4176	powershell.exe
220	powershell.exe
220	powershell.exe
1968	powershell.exe
1968	powershell.exe
2744	powershell.exe
2744	powershell.exe
4204	powershell.exe
4204	powershell.exe
5012	powershell.exe
636	powershell.exe
636	powershell.exe
4344	powershell.exe
3464	powershell.exe
3464	powershell.exe
3172	powershell.exe
4288	powershell.exe
4288	powershell.exe
3560	powershell.exe
1212	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

tmpF974.tmp.exeNortonInstaller.exe

pid	Process
3352	tmpF974.tmp.exe
1960	NortonInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exetmpF666.tmp.exeMicrosoftCompatibility Download.exeFirefoxinstaller.exepowershell.exeWinExplorer.exepowershell.exeNortonInstaller.exepowershell.exepowershell.exepowershell.exeEdgeBrowser.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerealtekaudio.exerealtekaudio.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWinExplorer.exepowershell.exeFirefoxinstaller.exepowershell.exeNortonInstaller.exeEdgeBrowser.exepowershell.exepowershell.exepowershell.exepowershell.exerealtekaudio.exeEdgeBrowser.exeEdgeBrowser.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4696	f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe
Token: SeDebugPrivilege	3548	tmpF666.tmp.exe
Token: SeDebugPrivilege	668	MicrosoftCompatibility Download.exe
Token: SeDebugPrivilege	3612	Firefoxinstaller.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	4544	WinExplorer.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	2752	NortonInstaller.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1008	EdgeBrowser.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	5356	realtekaudio.exe
Token: SeDebugPrivilege	5376	realtekaudio.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	5172	powershell.exe
Token: SeDebugPrivilege	5348	WinExplorer.exe
Token: SeDebugPrivilege	6212	powershell.exe
Token: SeDebugPrivilege	6672	Firefoxinstaller.exe
Token: SeDebugPrivilege	6436	powershell.exe
Token: SeDebugPrivilege	1960	NortonInstaller.exe
Token: SeDebugPrivilege	1960	NortonInstaller.exe
Token: SeDebugPrivilege	5236	EdgeBrowser.exe
Token: SeDebugPrivilege	7040	powershell.exe
Token: SeDebugPrivilege	6840	powershell.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	5744	realtekaudio.exe
Token: SeDebugPrivilege	5744	realtekaudio.exe
Token: SeDebugPrivilege	2796	EdgeBrowser.exe
Token: 33	2796	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	2796	EdgeBrowser.exe
Token: 33	2796	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	2796	EdgeBrowser.exe
Token: 33	2796	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	2796	EdgeBrowser.exe
Token: SeDebugPrivilege	732	EdgeBrowser.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: 33	2796	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	2796	EdgeBrowser.exe
Token: 33	2796	EdgeBrowser.exe
Token: SeIncBasePriorityPrivilege	2796	EdgeBrowser.exe
Token: 33	2796	EdgeBrowser.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

tmpF974.tmp.exe

pid	Process
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

tmpF974.tmp.exe

pid	Process
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

tmpF974.tmp.exeFirefoxinstaller.exeexplorer.exe

pid	Process
3352	tmpF974.tmp.exe
3352	tmpF974.tmp.exe
6672	Firefoxinstaller.exe
6672	Firefoxinstaller.exe
6672	Firefoxinstaller.exe
960	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exetmpF666.tmp.exeEasyAASM.exeFirefoxinstaller.exeWinExplorer.exeNortonInstaller.exe

description	pid	Process	procid_target
PID 4696 wrote to memory of 3548	4696	f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe	81
PID 4696 wrote to memory of 3548	4696	f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe	81
PID 4696 wrote to memory of 3352	4696	f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe	82
PID 4696 wrote to memory of 3352	4696	f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe	82
PID 4696 wrote to memory of 3352	4696	f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe	82
PID 3548 wrote to memory of 8	3548	tmpF666.tmp.exe	83
PID 3548 wrote to memory of 8	3548	tmpF666.tmp.exe	83
PID 3548 wrote to memory of 8	3548	tmpF666.tmp.exe	83
PID 3548 wrote to memory of 668	3548	tmpF666.tmp.exe	84
PID 3548 wrote to memory of 668	3548	tmpF666.tmp.exe	84
PID 3548 wrote to memory of 668	3548	tmpF666.tmp.exe	84
PID 3548 wrote to memory of 4776	3548	tmpF666.tmp.exe	85
PID 3548 wrote to memory of 4776	3548	tmpF666.tmp.exe	85
PID 3548 wrote to memory of 4776	3548	tmpF666.tmp.exe	85
PID 3548 wrote to memory of 3612	3548	tmpF666.tmp.exe	86
PID 3548 wrote to memory of 3612	3548	tmpF666.tmp.exe	86
PID 3548 wrote to memory of 3612	3548	tmpF666.tmp.exe	86
PID 3548 wrote to memory of 2752	3548	tmpF666.tmp.exe	87
PID 3548 wrote to memory of 2752	3548	tmpF666.tmp.exe	87
PID 3548 wrote to memory of 2752	3548	tmpF666.tmp.exe	87
PID 3548 wrote to memory of 4544	3548	tmpF666.tmp.exe	88
PID 3548 wrote to memory of 4544	3548	tmpF666.tmp.exe	88
PID 3548 wrote to memory of 4544	3548	tmpF666.tmp.exe	88
PID 3548 wrote to memory of 1008	3548	tmpF666.tmp.exe	89
PID 3548 wrote to memory of 1008	3548	tmpF666.tmp.exe	89
PID 3548 wrote to memory of 1008	3548	tmpF666.tmp.exe	89
PID 4776 wrote to memory of 3572	4776	EasyAASM.exe	92
PID 4776 wrote to memory of 3572	4776	EasyAASM.exe	92
PID 4776 wrote to memory of 3572	4776	EasyAASM.exe	92
PID 4776 wrote to memory of 1968	4776	EasyAASM.exe	93
PID 4776 wrote to memory of 1968	4776	EasyAASM.exe	93
PID 4776 wrote to memory of 1968	4776	EasyAASM.exe	93
PID 4776 wrote to memory of 2744	4776	EasyAASM.exe	94
PID 4776 wrote to memory of 2744	4776	EasyAASM.exe	94
PID 4776 wrote to memory of 2744	4776	EasyAASM.exe	94
PID 4776 wrote to memory of 220	4776	EasyAASM.exe	95
PID 4776 wrote to memory of 220	4776	EasyAASM.exe	95
PID 4776 wrote to memory of 220	4776	EasyAASM.exe	95
PID 3612 wrote to memory of 4176	3612	Firefoxinstaller.exe	99
PID 3612 wrote to memory of 4176	3612	Firefoxinstaller.exe	99
PID 3612 wrote to memory of 4176	3612	Firefoxinstaller.exe	99
PID 3612 wrote to memory of 4972	3612	Firefoxinstaller.exe	103
PID 3612 wrote to memory of 4972	3612	Firefoxinstaller.exe	103
PID 3612 wrote to memory of 4972	3612	Firefoxinstaller.exe	103
PID 3612 wrote to memory of 4204	3612	Firefoxinstaller.exe	105
PID 3612 wrote to memory of 4204	3612	Firefoxinstaller.exe	105
PID 3612 wrote to memory of 4204	3612	Firefoxinstaller.exe	105
PID 4544 wrote to memory of 636	4544	WinExplorer.exe	106
PID 4544 wrote to memory of 636	4544	WinExplorer.exe	106
PID 4544 wrote to memory of 636	4544	WinExplorer.exe	106
PID 2752 wrote to memory of 5012	2752	NortonInstaller.exe	109
PID 2752 wrote to memory of 5012	2752	NortonInstaller.exe	109
PID 2752 wrote to memory of 5012	2752	NortonInstaller.exe	109
PID 4544 wrote to memory of 3172	4544	WinExplorer.exe	111
PID 4544 wrote to memory of 3172	4544	WinExplorer.exe	111
PID 4544 wrote to memory of 3172	4544	WinExplorer.exe	111
PID 3612 wrote to memory of 4288	3612	Firefoxinstaller.exe	113
PID 3612 wrote to memory of 4288	3612	Firefoxinstaller.exe	113
PID 3612 wrote to memory of 4288	3612	Firefoxinstaller.exe	113
PID 2752 wrote to memory of 3464	2752	NortonInstaller.exe	114
PID 2752 wrote to memory of 3464	2752	NortonInstaller.exe	114
PID 2752 wrote to memory of 3464	2752	NortonInstaller.exe	114
PID 4544 wrote to memory of 4344	4544	WinExplorer.exe	117
PID 4544 wrote to memory of 4344	4544	WinExplorer.exe	117

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

WD+UAC.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe

C:\Users\Admin\AppData\Local\Temp\f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1fa7d91c9d5c31b8dcb25fa73a1fad3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\tmpF666.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF666.tmp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\Documents\WD+UAC.exe
    "C:\Users\Admin\Documents\WD+UAC.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System policy modification
    PID:8
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 904
      4⤵
      Program crash
      PID:1092
- - C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe
    "C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1964
      4⤵
      Program crash
      PID:1520
- - C:\Users\Admin\Documents\EasyAASM.exe
    "C:\Users\Admin\Documents\EasyAASM.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\reagentc.exe
      reagentc.exe /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:220
  - - C:\Users\Admin\AppData\Roaming\realtekaudio.exe
      "C:\Users\Admin\AppData\Roaming\realtekaudio.exe"
      4⤵
      Modifies WinLogon for persistence
      Windows security bypass
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5172
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6616
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:7160
    - - C:\Users\Admin\AppData\Roaming\realtekaudio.exe
        
        "C:\Users\Admin\AppData\Roaming\realtekaudio.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 2152
        5⤵
        Program crash
        
        PID:6888
  - - C:\Users\Admin\AppData\Roaming\realtekaudio.exe
      C:\Users\Admin\AppData\Roaming\realtekaudio.exe
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6212
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        5⤵
        
        PID:5484
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6572
    - - C:\Users\Admin\AppData\Roaming\realtekaudio.exe
        
        "C:\Users\Admin\AppData\Roaming\realtekaudio.exe"
        5⤵
        Executes dropped EXE
        
        PID:5400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 2096
        5⤵
        Program crash
        
        PID:4748
- - C:\Users\Admin\Documents\Firefoxinstaller.exe
    "C:\Users\Admin\Documents\Firefoxinstaller.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Windows Defender Real-time Protection settings
    - Windows security bypass
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4176
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Firefoxinstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      PID:4380
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6012
  - - C:\Users\Admin\Documents\Firefoxinstaller.exe
      "C:\Users\Admin\Documents\Firefoxinstaller.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:6392
    - - C:\Users\Admin\Documents\Firefoxinstaller.exe
        
        "C:\Users\Admin\Documents\Firefoxinstaller.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6672
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /delete /tn "WindowsUpdate.exe" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6884
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\Documents\Firefoxinstaller.exe"
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 5 -w 5000
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7080
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Users\Admin\Documents\Firefoxinstaller.exe" /rl HIGHEST /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 2200
      4⤵
      Program crash
      PID:6744
- - C:\Users\Admin\Documents\NortonInstaller.exe
    "C:\Users\Admin\Documents\NortonInstaller.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Windows security bypass
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3464
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\NortonInstaller.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      PID:5232
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:5472
  - - C:\Users\Admin\Documents\NortonInstaller.exe
      "C:\Users\Admin\Documents\NortonInstaller.exe"
      4⤵
      Executes dropped EXE
      PID:6724
  - - C:\Users\Admin\Documents\NortonInstaller.exe
      "C:\Users\Admin\Documents\NortonInstaller.exe"
      4⤵
      Executes dropped EXE
      PID:1856
  - - C:\Users\Admin\Documents\NortonInstaller.exe
      "C:\Users\Admin\Documents\NortonInstaller.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "WAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5B79.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 2192
      4⤵
      Program crash
      PID:6324
- - C:\Users\Admin\Documents\WinExplorer.exe
    "C:\Users\Admin\Documents\WinExplorer.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Windows security bypass
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\WinExplorer.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      PID:5248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5348
  - - C:\Users\Admin\Documents\WinExplorer.exe
      "C:\Users\Admin\Documents\WinExplorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5348
    - - C:\Users\Admin\Documents\WindowsExplorer.exe
        
        "C:\Users\Admin\Documents\WindowsExplorer.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:6916
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5612
        
        C:\explorer\explorer.exe
        
        "C:\explorer\explorer.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        UAC bypass
        Modifies registry key
        
        PID:2880
- - C:\Users\Admin\Documents\EdgeBrowser.exe
    "C:\Users\Admin\Documents\EdgeBrowser.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Windows security bypass
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeBrowser.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      4⤵
      PID:5516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2540
  - - C:\Users\Admin\Documents\EdgeBrowser.exe
      "C:\Users\Admin\Documents\EdgeBrowser.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn NYAN /F
        5⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeBrowser.exe" /sc minute /mo 1
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
    - - C:\Users\Admin\EdgeBrowser.exe
        
        "C:\Users\Admin\EdgeBrowser.exe"
        5⤵
        Modifies WinLogon for persistence
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7040
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6840
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5800
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6740
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4932
      - C:\Users\Admin\EdgeBrowser.exe
        
        "C:\Users\Admin\EdgeBrowser.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn NYAN /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn NYAN /tr "C:\Users\Admin\EdgeBrowser.exe" /sc minute /mo 1
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 2208
        6⤵
        Program crash
        
        PID:512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 2168
      4⤵
      Program crash
      PID:5584
- C:\Users\Admin\AppData\Local\Temp\tmpF974.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF974.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8 -ip 8
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 668 -ip 668
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3612 -ip 3612
1⤵
PID:6536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1008 -ip 1008
1⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2752 -ip 2752
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5356 -ip 5356
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5376 -ip 5376
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5236 -ip 5236
1⤵
PID:3360

C:\Users\Admin\EdgeBrowser.exe
C:\Users\Admin\EdgeBrowser.exe
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:6584
- C:\Users\Admin\EdgeBrowser.exe
  "C:\Users\Admin\EdgeBrowser.exe"
  2⤵
  - Executes dropped EXE
  PID:5168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\EdgeBrowser.exe" /sc minute /mo 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1292
  2⤵
  - Program crash
  PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 732 -ip 732
1⤵
PID:5432

C:\Users\Admin\EdgeBrowser.exe
C:\Users\Admin\EdgeBrowser.exe
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:3916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:6960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:6644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:808
- C:\Users\Admin\EdgeBrowser.exe
  "C:\Users\Admin\EdgeBrowser.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 2192
  2⤵
  - Program crash
  PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3692 -ip 3692
1⤵
PID:6036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EdgeBrowser.exe.log

Filesize
706B

MD5
7119a280abc0c4b5f21a0932887a54ac

SHA1
aa369248ea6d293fe56a5ed669e29cd897911f84

SHA256
418398bab7542ba692fe00d88d6de06c65f73b9376567c5190a007f7a211c91f

SHA512
b11111d017e86445be9c41d2ca4a6e147cf2d8ae31663bb0772e2eaaf3a7a906285ab78a708d9122a29f8aa2519e80b12e050ad4538867e2b5d3edb0fe21039f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Firefoxinstaller.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinExplorer.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
aec7e585d17e0461c05d125190800519

SHA1
79d58382a8e5b9c8422c521cca16543cdda8b946

SHA256
cff59b09d56434402327ce35d6ba2baafca37de5d73f8415d2a2bbe0d2b6df36

SHA512
8c37e597b730271c909a3fa274b2b1ae840ddb32ebba50ceab92ed993efca7a51cb87ec2484b5306a339451e5e4aa9ad82120a0987fa0b5c8b7ec38fd10913db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e2f749ca07b3fdfaaf0e9827cdc040ab

SHA1
f34e705036dc8b539434b076e8b81b98fc0861a1

SHA256
62f3e3285cc783260681c37a408106baabfa1a2231037e9e0e411205ed433c01

SHA512
59ec42b98d9cdfb5861f74ef7b4b96187c5865e54049b7051310a1aa0ada311b2ee89a117d5734117482cb9a098c4dc28aae47aca2ca84aa159de32ca295c328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3029725ae203dee43ce2416517d2b875

SHA1
54cdae10661fe96245c90a950fdee5a10a6326d0

SHA256
32b9df27bb25dc8f7742f2a9ae03b8dc31c07fe0fee9e156cd3aed018c246475

SHA512
f26294b84a9500683167bb1ae556b87c16e686873cc2e391bca7a2da6523087b681f833bd6898514c493b26d5be497cc3411e9340de08fd6969aebcd24e0072f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3c8aa85830fe5e2ffeeda8ccd676eaf8

SHA1
114b6f5a9291a2efc2e62c28da1c14b65a80d2b6

SHA256
9281964f2f9f6972db959d052c8579b4c67ead7e08171f7a9488af75675eebaf

SHA512
db475d6ffc6de33e4b4d941983f5d8023622a9d6ee36bed20e9664506db3df2f95e9b22d070c798002ef9f60d72195032443dc9d3277499f0a70eb6ec9c36454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5c109defc532f49833ffb49e09772b57

SHA1
81f08279ca2029964ab7dc83900e71ecc4c30e49

SHA256
920480e49fadc89710b50d4b7234a0008801a6e5b00e76db9730735f2dd558c5

SHA512
39610d584205ee81e542616f3f87eb077dab4f6a75d4f4068969836ee12a86abb5c09ce38133cb24af2427f6aad1a3c62cfb0b1e60b867e0ffa4a40bb0629d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ac3e03530c34f3da777493a63924fad7

SHA1
04b9d28ba81426499811423dd2cb32ea89ac335b

SHA256
2c8f02bf1fdf4b9ff445f0cbbd9cc24926fb63d2534a378b445bdaacdcc366b3

SHA512
cc15274b6e45962c15774d3997003cb006aa5c6dead7d0500ed9358dc760834eb5a7ba8202495b5e809c98ccd9853f6bdb86218a8685479b0d803c53f7067157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
608f49a2d5752cca3a8f3caa442ab729

SHA1
f719b1bc558d2bd05f728bc3e06f6d3b1629da05

SHA256
daa73b8b52745b74a1336a9cbb7056ac3871f305c3b436eef5651703fed065ad

SHA512
bc05f9fa7b7b247b3df238bf3d6bb95052afef0efa9428797757210f8f835359846660fe7166a06fc385cc8cb2508fc542334f0cb4ecfbd0a266119175c23a75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4f67d4fd64f9d68215bcc1e15ce304d6

SHA1
2597bb1d5f9500c5b157780a53f5ce4542030bfc

SHA256
01cffcfb9befeb5808e5201f043100e90a6b38fe7016460c1bda66f399a466c0

SHA512
ae7ccfb535d0697c8dae207e43b684690c51deb105f729a000a7229d1c8db085548a86c6d1d4a11be623c3429f24ad974f4cf3a5d332164198490dcadbccee77

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlmjd1mt.1yt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
127B

MD5
80b32b79bf519fce07cdf7b8b7881067

SHA1
2fe368e8f5855ef5f08c46f389bf3b5482ace60b

SHA256
8ed98d8b82c482aaa79a8ea2f1aaea676c5641d69f2478ba7f241e990d5d99b1

SHA512
dc7b986bd5de842d8beb315dea77a424194701b6272cac884dd31cd04586879fa93f3d1f44ec9ca01625b31115b00a2b5fe5028baef7d9ab277881653cab116e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B79.tmp

Filesize
1KB

MD5
8d64f65d497b498fe88d9f446628e0e6

SHA1
2c01f76965fa52f717649db191a016b04c296b97

SHA256
735f05df747c5fee00b019083ce51cc52bc338382228e43441f1700a8dc3385b

SHA512
e9f3df490abd42ca4321a771ee35a54819e37eea99256a398544d94c6ff30f7d021a23d87233e3112a2edb5d5fecef4835b688281e2b29d114af01a90cd6fbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF666.tmp.exe

Filesize
1.3MB

MD5
11ee7471fc15a11b25135052aa282602

SHA1
bacf067665074dddd07b74c0ff44e27d549e6866

SHA256
7c85333ea420f466a6d3113f5ded4c3cadc8ba4d9ae92fe2f53d475543c8c87b

SHA512
391087e5eefd09f8013824ffdb7b2d5c27c41e259b56e19dbde061862276125dd6998468b71007503edad28e9d7cb5e88b15b9977a666a00194c3a6063e152d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF974.tmp.exe

Filesize
479KB

MD5
ba9409e272ccd7bb5a43e9d28f1b7440

SHA1
2dd25abd0c6e55e05f596671c839ed035e00e61d

SHA256
73b7fea4754e8be18812adc0ddd7b3c3c8c3797a889cc801cc94c7195027aa11

SHA512
89a1e4e77465c965cfe9c1ab2983d601506469cafbebc327daeee52fefd319a4f988af375e932060a3debab5fea7ad7830ec8b0453daa08f7320358c54472bc9

Download Submit
C:\Users\Admin\AppData\Roaming\realtekaudio.exe

Filesize
1.1MB

MD5
b117965f227519eb5c8d6e86bc2dd2a4

SHA1
e1d80bd0958b69cc73eaf1ee26aa816f795aad63

SHA256
f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd

SHA512
728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f

Download Submit
C:\Users\Admin\Documents\EasyAASM.exe

Filesize
315KB

MD5
4807d6b3bc3740ed58861f208470d076

SHA1
5efe5de43d28aeaa24c7065ce7113fd0c96f2539

SHA256
133a86c10b14d53d0807901d3cd477b0e1f62b9351707fe82ded7fe19c1f7689

SHA512
e1494471bc8bf182b694907714043cc39d7e4003ccfd56d1fc41c3d15071bf2cc4347858afacff174849be30b32aab828f91d13f3dd58629e0f560918bca6475

Download Submit
C:\Users\Admin\Documents\EdgeBrowser.exe

Filesize
1.3MB

MD5
824438344c636fdd81ff2e0d02577912

SHA1
ae288a2cc5bd0cce01615d8d568031c3e84902e2

SHA256
eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65

SHA512
09f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b

Download Submit
C:\Users\Admin\Documents\Firefoxinstaller.exe

Filesize
1.5MB

MD5
70d3bb5c6ca4166d190ad265b14f117e

SHA1
95497e892ee875ef226edf3db059121c2c5284ed

SHA256
7d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9

SHA512
0abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720

Download Submit
C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe

Filesize
29KB

MD5
cc4dacf8520e38549ad23aaeedf67027

SHA1
2583bf30caee94ea804201c65d55d6e4df7f643f

SHA256
671d6806eb42b720d6fd9aa0e19c14918bb79204db90b5db1fbdf67ee87c253f

SHA512
4e8ad8b28d596c9844d5255e9f25f3e9999433e8804e1eb2af2bf3a1aba2742c1a4df500b460c5837f596f41f0d3f05686c5d817de6b294edbae1a652c63725a

Download Submit
C:\Users\Admin\Documents\NortonInstaller.exe

Filesize
2.1MB

MD5
d2fe1a2f73303d37c178250add341b97

SHA1
e341e8adaec629d299101bbf1b9a3ca2bfaf7417

SHA256
26742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456

SHA512
0c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81

Download Submit
C:\Users\Admin\Documents\WD+UAC.exe

Filesize
97KB

MD5
a77ff55010a30b7bda46c35f74c160ea

SHA1
2be0031a06e02ce9a16ffd59747e793314759167

SHA256
7a2b062cfbd490970999dff5b19a25b0600d6ada1cf1271066dcf335d74dee30

SHA512
fdd0e51697aa2bcea5ae6939493cc5360794f96429e08d194ac1b72b689221da047bae8be0f698654b42e23f5381b102b0854e1cece20557df93db1c596eed02

Download Submit
C:\Users\Admin\Documents\WinExplorer.exe

Filesize
1.0MB

MD5
3830fb01bdf4b41e2e9551d422caf795

SHA1
d63a892fc41d2be82de8d02a04b906a8595dcac9

SHA256
6c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422

SHA512
5f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886

Download Submit
C:\Users\Admin\Documents\WindowsExplorer.exe

Filesize
92KB

MD5
01ccde20287004986c0f29ff0df2e3b1

SHA1
18f9831e3246a08f000b0f4d6f009f2294c7c652

SHA256
862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860

SHA512
785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee

Download Submit
memory/8-74-0x0000000000B80000-0x0000000000BA2000-memory.dmp

Filesize
136KB

Download
memory/8-96-0x0000000002E10000-0x0000000002E16000-memory.dmp

Filesize
24KB

Download
memory/220-687-0x0000000007940000-0x0000000007948000-memory.dmp

Filesize
32KB

Download
memory/220-655-0x0000000007860000-0x0000000007874000-memory.dmp

Filesize
80KB

Download
memory/220-393-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/220-678-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/220-352-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/220-652-0x0000000007850000-0x000000000785E000-memory.dmp

Filesize
56KB

Download
memory/220-504-0x0000000007820000-0x0000000007831000-memory.dmp

Filesize
68KB

Download
memory/412-505-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/636-404-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/668-79-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/1008-130-0x00000000051C0000-0x00000000051F6000-memory.dmp

Filesize
216KB

Download
memory/1008-121-0x0000000000670000-0x00000000007B6000-memory.dmp

Filesize
1.3MB

Download
memory/1212-444-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/1864-490-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/1960-650-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-692-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

Filesize
120KB

Download
memory/1960-689-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/1960-693-0x0000000005DD0000-0x0000000005DDA000-memory.dmp

Filesize
40KB

Download
memory/1968-362-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/2268-474-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/2504-515-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/2744-372-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/2752-128-0x0000000006A90000-0x0000000006AE4000-memory.dmp

Filesize
336KB

Download
memory/2752-97-0x0000000000D20000-0x0000000000F44000-memory.dmp

Filesize
2.1MB

Download
memory/3172-417-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/3352-850-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-33-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-895-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-894-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-316-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-851-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-941-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-896-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-703-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-442-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-897-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-846-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-899-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-849-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3352-898-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3464-464-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/3548-36-0x00007FF8FF720000-0x00007FF9001E1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-23-0x00007FF8FF723000-0x00007FF8FF725000-memory.dmp

Filesize
8KB

Download
memory/3548-24-0x0000000000980000-0x0000000000AC8000-memory.dmp

Filesize
1.3MB

Download
memory/3548-29-0x00007FF8FF720000-0x00007FF9001E1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-32-0x00007FF8FF720000-0x00007FF9001E1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-31-0x00007FF8FF720000-0x00007FF9001E1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-123-0x00007FF8FF720000-0x00007FF9001E1000-memory.dmp

Filesize
10.8MB

Download
memory/3560-418-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/3612-116-0x00000000052D0000-0x0000000005310000-memory.dmp

Filesize
256KB

Download
memory/3612-84-0x0000000000790000-0x0000000000920000-memory.dmp

Filesize
1.6MB

Download
memory/3916-936-0x0000000006820000-0x000000000686C000-memory.dmp

Filesize
304KB

Download
memory/4176-329-0x0000000007410000-0x0000000007442000-memory.dmp

Filesize
200KB

Download
memory/4176-340-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/4176-132-0x0000000004D50000-0x0000000004D86000-memory.dmp

Filesize
216KB

Download
memory/4176-330-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/4176-141-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4176-140-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/4176-139-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/4176-138-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/4176-414-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/4176-439-0x0000000007870000-0x0000000007906000-memory.dmp

Filesize
600KB

Download
memory/4176-133-0x00000000053C0000-0x00000000059E8000-memory.dmp

Filesize
6.2MB

Download
memory/4176-342-0x0000000007450000-0x00000000074F3000-memory.dmp

Filesize
652KB

Download
memory/4204-382-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/4288-484-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/4344-454-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/4516-521-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/4544-111-0x00000000000E0000-0x00000000001EC000-memory.dmp

Filesize
1.0MB

Download
memory/4544-124-0x0000000004BE0000-0x0000000004C0E000-memory.dmp

Filesize
184KB

Download
memory/4696-2-0x00007FF901B20000-0x00007FF9024C1000-memory.dmp

Filesize
9.6MB

Download
memory/4696-0-0x00007FF901DD5000-0x00007FF901DD6000-memory.dmp

Filesize
4KB

Download
memory/4696-30-0x00007FF901B20000-0x00007FF9024C1000-memory.dmp

Filesize
9.6MB

Download
memory/4696-3-0x000000001B5E0000-0x000000001B686000-memory.dmp

Filesize
664KB

Download
memory/4696-1-0x00007FF901B20000-0x00007FF9024C1000-memory.dmp

Filesize
9.6MB

Download
memory/4776-100-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/4776-101-0x0000000005630000-0x0000000005686000-memory.dmp

Filesize
344KB

Download
memory/4776-73-0x0000000000B10000-0x0000000000B66000-memory.dmp

Filesize
344KB

Download
memory/4776-83-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download
memory/4776-91-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/4776-125-0x0000000006B00000-0x0000000006C14000-memory.dmp

Filesize
1.1MB

Download
memory/4776-93-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/4848-888-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/4972-392-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-315-0x0000000006B50000-0x0000000006B9C000-memory.dmp

Filesize
304KB

Download
memory/4972-314-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/4972-341-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/5012-394-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/5348-546-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5356-327-0x0000000005660000-0x0000000005690000-memory.dmp

Filesize
192KB

Download
memory/5356-326-0x0000000000B30000-0x0000000000C44000-memory.dmp

Filesize
1.1MB

Download
memory/5480-716-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/5744-733-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6040-706-0x000000006F9C0000-0x000000006FA0C000-memory.dmp

Filesize
304KB

Download
memory/6392-438-0x00000000028F0000-0x00000000028FA000-memory.dmp

Filesize
40KB

Download
memory/6392-415-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6672-440-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7000-608-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download