xpertrat | 099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18

Analysis

max time kernel
149s
max time network
120s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13d84033f65345d8a87391ec0eb6b482.exe
Size

28KB
MD5

13d84033f65345d8a87391ec0eb6b482
SHA1

b6354b17def07e0ead0f90a30b50c9090e720e5f
SHA256

099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18
SHA512

5093353181b2c6cb0ec0c421e7e5b87e3e222fd6fb5e250bed960ebad1a0041be4e7ba412067e1c6d4eba6e1248c59022eef87c281346c507aa0ae8990fe285f

Score

10^/10

xpertrat special x evasion rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

sandshoe.myfirewall.org:2054

sandshoe.myfirewall.org:4000

Mutex

C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 47 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2056-12-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/2056-13-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1052-18-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2444-21-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2908-24-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1952-27-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1484-30-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2172-33-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3764-36-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2896-39-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2952-42-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1428-45-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2900-48-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1324-51-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2612-54-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3004-57-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1452-60-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3604-63-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2328-66-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4016-69-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2100-72-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4000-75-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2576-78-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3736-81-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2600-84-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2652-87-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2304-90-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3036-93-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4084-96-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3564-99-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2388-102-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1356-105-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1004-108-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2060-111-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/184-114-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2208-117-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2580-120-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4036-123-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1256-126-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/480-129-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1328-132-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/420-135-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/192-138-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3444-141-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3156-144-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/496-147-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/736-150-0x0000000000401364-mapping.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

13d84033f65345d8a87391ec0eb6b482.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	13d84033f65345d8a87391ec0eb6b482.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

13d84033f65345d8a87391ec0eb6b482.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13d84033f65345d8a87391ec0eb6b482.exe

Program crash 47 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2640	3932	WerFault.exe	13d84033f65345d8a87391ec0eb6b482.exe
3792	2056	WerFault.exe	iexplore.exe
1244	1052	WerFault.exe	iexplore.exe
2788	2444	WerFault.exe	iexplore.exe
3148	2908	WerFault.exe	iexplore.exe
2364	1952	WerFault.exe	iexplore.exe
1448	1484	WerFault.exe	iexplore.exe
2240	2172	WerFault.exe	iexplore.exe
500	3764	WerFault.exe	iexplore.exe
1208	2896	WerFault.exe	iexplore.exe
2108	2952	WerFault.exe	iexplore.exe
3408	1428	WerFault.exe	iexplore.exe
2352	2900	WerFault.exe	iexplore.exe
3684	1324	WerFault.exe	iexplore.exe
2420	2612	WerFault.exe	iexplore.exe
4092	3004	WerFault.exe	iexplore.exe
1432	1452	WerFault.exe	iexplore.exe
3436	3604	WerFault.exe	iexplore.exe
2464	2328	WerFault.exe	iexplore.exe
788	4016	WerFault.exe	iexplore.exe
1240	2100	WerFault.exe	iexplore.exe
2460	4000	WerFault.exe	iexplore.exe
3812	2576	WerFault.exe	iexplore.exe
3100	3736	WerFault.exe	iexplore.exe
932	2600	WerFault.exe	iexplore.exe
3964	2652	WerFault.exe	iexplore.exe
1696	2304	WerFault.exe	iexplore.exe
1924	3036	WerFault.exe	iexplore.exe
640	4084	WerFault.exe	iexplore.exe
1628	3564	WerFault.exe	iexplore.exe
2200	2388	WerFault.exe	iexplore.exe
3848	1356	WerFault.exe	iexplore.exe
3992	1004	WerFault.exe	iexplore.exe
2808	2060	WerFault.exe	iexplore.exe
2324	184	WerFault.exe	iexplore.exe
3152	2208	WerFault.exe	iexplore.exe
3796	2580	WerFault.exe	iexplore.exe
3600	4036	WerFault.exe	iexplore.exe
1248	1256	WerFault.exe	iexplore.exe
1212	480	WerFault.exe	iexplore.exe
1216	1328	WerFault.exe	iexplore.exe
2676	420	WerFault.exe	iexplore.exe
3020	192	WerFault.exe	iexplore.exe
3912	3444	WerFault.exe	iexplore.exe
3432	3156	WerFault.exe	iexplore.exe
2096	496	WerFault.exe	iexplore.exe
3808	736	WerFault.exe	iexplore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

13d84033f65345d8a87391ec0eb6b482.exe

pid	process
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe

Suspicious use of SetThreadContext 47 IoCs

Processes:

13d84033f65345d8a87391ec0eb6b482.exe13d84033f65345d8a87391ec0eb6b482.exe

description	pid	process	target process
PID 3932 set thread context of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 2440 set thread context of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2172	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3764	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2896	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1428	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2900	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1324	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2612	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3004	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1452	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3604	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2328	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 4016	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2100	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 4000	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2576	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3736	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2600	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2652	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2304	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3036	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 4084	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3564	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2388	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1356	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1004	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2060	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 184	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2208	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 2580	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 4036	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1256	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 480	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 1328	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 420	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 192	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 3156	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 496	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 set thread context of 736	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1252 timeout.exe

pid	process
1252	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

13d84033f65345d8a87391ec0eb6b482.exe13d84033f65345d8a87391ec0eb6b482.exeWerFault.exe

pid	process
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
3932	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe
2440	13d84033f65345d8a87391ec0eb6b482.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

13d84033f65345d8a87391ec0eb6b482.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3932	13d84033f65345d8a87391ec0eb6b482.exe
Token: SeRestorePrivilege	2640	WerFault.exe
Token: SeBackupPrivilege	2640	WerFault.exe
Token: SeDebugPrivilege	2640	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

13d84033f65345d8a87391ec0eb6b482.exe

pid process

2440 13d84033f65345d8a87391ec0eb6b482.exe
Suspicious use of UnmapMainImage 3 IoCs

Processes:

iexplore.exe

pid process

2652 iexplore.exe
2652 iexplore.exe
2652 iexplore.exe

pid	process
2440	13d84033f65345d8a87391ec0eb6b482.exe

pid	process
2652	iexplore.exe
2652	iexplore.exe
2652	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

13d84033f65345d8a87391ec0eb6b482.exe13d84033f65345d8a87391ec0eb6b482.exe

description	pid	process	target process
PID 3932 wrote to memory of 1252	3932	13d84033f65345d8a87391ec0eb6b482.exe	timeout.exe
PID 3932 wrote to memory of 1252	3932	13d84033f65345d8a87391ec0eb6b482.exe	timeout.exe
PID 3932 wrote to memory of 1252	3932	13d84033f65345d8a87391ec0eb6b482.exe	timeout.exe
PID 3932 wrote to memory of 2912	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2912	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2912	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 3932 wrote to memory of 2440	3932	13d84033f65345d8a87391ec0eb6b482.exe	13d84033f65345d8a87391ec0eb6b482.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2056	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1052	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2444	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2908	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1952	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 1484	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2172	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2172	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe
PID 2440 wrote to memory of 2172	2440	13d84033f65345d8a87391ec0eb6b482.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

13d84033f65345d8a87391ec0eb6b482.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13d84033f65345d8a87391ec0eb6b482.exe

C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
"C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\timeout.exe
timeout 5
2⤵
- Delays execution with timeout.exe
PID:1252

C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
"C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe"
2⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
"C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 24
4⤵
- Program crash
PID:3792

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 24
4⤵
- Program crash
PID:1244

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 24
4⤵
- Program crash
PID:2788

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 24
4⤵
- Program crash
PID:3148

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 24
4⤵
- Program crash
PID:2364

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 24
4⤵
- Program crash
PID:1448

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 24
4⤵
- Program crash
PID:2240

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 24
4⤵
- Program crash
PID:500

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 24
4⤵
- Program crash
PID:1208

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 24
4⤵
- Program crash
PID:2108

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 24
4⤵
- Program crash
PID:3408

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 24
4⤵
- Program crash
PID:2352

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 24
4⤵
- Program crash
PID:3684

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 24
4⤵
- Program crash
PID:2420

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 24
4⤵
- Program crash
PID:4092

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 24
4⤵
- Program crash
PID:1432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 24
4⤵
- Program crash
PID:3436

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 24
4⤵
- Program crash
PID:2464

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 24
4⤵
- Program crash
PID:788

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 24
4⤵
- Program crash
PID:1240

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 24
4⤵
- Program crash
PID:2460

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 28
4⤵
- Program crash
PID:3812

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 24
4⤵
- Program crash
PID:3100

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 24
4⤵
- Program crash
PID:932

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
- Suspicious use of UnmapMainImage
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 24
4⤵
- Program crash
PID:3964

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 24
4⤵
- Program crash
PID:1696

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 24
4⤵
- Program crash
PID:1924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 24
4⤵
- Program crash
PID:640

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 24
4⤵
- Program crash
PID:1628

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 24
4⤵
- Program crash
PID:2200

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 24
4⤵
- Program crash
PID:3848

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 24
4⤵
- Program crash
PID:3992

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 24
4⤵
- Program crash
PID:2808

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 24
4⤵
- Program crash
PID:2324

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 24
4⤵
- Program crash
PID:3152

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 24
4⤵
- Program crash
PID:3796

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 24
4⤵
- Program crash
PID:3600

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 24
4⤵
- Program crash
PID:1248

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 24
4⤵
- Program crash
PID:1212

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 24
4⤵
- Program crash
PID:1216

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 24
4⤵
- Program crash
PID:2676

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 24
4⤵
- Program crash
PID:3020

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 24
4⤵
- Program crash
PID:3912

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 24
4⤵
- Program crash
PID:3432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 24
4⤵
- Program crash
PID:2096

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\13d84033f65345d8a87391ec0eb6b482.exe
3⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 24
4⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1716
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-114-0x0000000000401364-mapping.dmp

Download
memory/192-138-0x0000000000401364-mapping.dmp

Download
memory/420-135-0x0000000000401364-mapping.dmp

Download
memory/480-129-0x0000000000401364-mapping.dmp

Download
memory/496-147-0x0000000000401364-mapping.dmp

Download
memory/500-37-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/640-97-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/736-150-0x0000000000401364-mapping.dmp

Download
memory/932-85-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1004-108-0x0000000000401364-mapping.dmp

Download
memory/1052-18-0x0000000000401364-mapping.dmp

Download
memory/1208-40-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1212-130-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/1216-133-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1240-73-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/1244-19-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/1248-127-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/1252-4-0x0000000000000000-mapping.dmp

Download
memory/1256-126-0x0000000000401364-mapping.dmp

Download
memory/1324-51-0x0000000000401364-mapping.dmp

Download
memory/1328-132-0x0000000000401364-mapping.dmp

Download
memory/1356-105-0x0000000000401364-mapping.dmp

Download
memory/1428-45-0x0000000000401364-mapping.dmp

Download
memory/1432-61-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1448-31-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1452-60-0x0000000000401364-mapping.dmp

Download
memory/1484-30-0x0000000000401364-mapping.dmp

Download
memory/1628-100-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1696-91-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/1924-94-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1952-27-0x0000000000401364-mapping.dmp

Download
memory/2056-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-13-0x0000000000401364-mapping.dmp

Download
memory/2060-111-0x0000000000401364-mapping.dmp

Download
memory/2096-148-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2100-72-0x0000000000401364-mapping.dmp

Download
memory/2108-43-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2172-33-0x0000000000401364-mapping.dmp

Download
memory/2200-103-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2208-117-0x0000000000401364-mapping.dmp

Download
memory/2240-34-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2304-90-0x0000000000401364-mapping.dmp

Download
memory/2324-115-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2328-66-0x0000000000401364-mapping.dmp

Download
memory/2352-49-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2364-28-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/2388-102-0x0000000000401364-mapping.dmp

Download
memory/2420-55-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2440-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2440-8-0x00000000004010B8-mapping.dmp

Download
memory/2440-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2444-21-0x0000000000401364-mapping.dmp

Download
memory/2460-76-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2464-67-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2576-78-0x0000000000401364-mapping.dmp

Download
memory/2580-120-0x0000000000401364-mapping.dmp

Download
memory/2600-84-0x0000000000401364-mapping.dmp

Download
memory/2612-54-0x0000000000401364-mapping.dmp

Download
memory/2640-16-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2640-14-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2652-87-0x0000000000401364-mapping.dmp

Download
memory/2676-136-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2788-22-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2808-112-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/2896-39-0x0000000000401364-mapping.dmp

Download
memory/2900-48-0x0000000000401364-mapping.dmp

Download
memory/2908-24-0x0000000000401364-mapping.dmp

Download
memory/2952-42-0x0000000000401364-mapping.dmp

Download
memory/3004-57-0x0000000000401364-mapping.dmp

Download
memory/3020-139-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3036-93-0x0000000000401364-mapping.dmp

Download
memory/3100-82-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/3148-25-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3152-118-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3156-144-0x0000000000401364-mapping.dmp

Download
memory/3408-46-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/3432-145-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3436-64-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/3444-141-0x0000000000401364-mapping.dmp

Download
memory/3564-99-0x0000000000401364-mapping.dmp

Download
memory/3600-124-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/3604-63-0x0000000000401364-mapping.dmp

Download
memory/3684-52-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3736-81-0x0000000000401364-mapping.dmp

Download
memory/3764-36-0x0000000000401364-mapping.dmp

Download
memory/3792-15-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/3796-121-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/3808-151-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3812-79-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3912-142-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/3932-0-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3932-3-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3932-5-0x0000000007070000-0x00000000070A9000-memory.dmp

Filesize
228KB

Download
memory/3932-1-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3932-6-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/3964-88-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3992-109-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4000-75-0x0000000000401364-mapping.dmp

Download
memory/4016-69-0x0000000000401364-mapping.dmp

Download
memory/4036-123-0x0000000000401364-mapping.dmp

Download
memory/4084-96-0x0000000000401364-mapping.dmp

Download
memory/4092-58-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download