xpertrat | 515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4

Analysis

max time kernel
137s
max time network
130s
platform
windows7_x64
resource
win7-en-20210920
submitted
25-09-2021 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d761f42a4df1938b43282d88e12c741a.exe
Size

12KB
MD5

d761f42a4df1938b43282d88e12c741a
SHA1

fc1913d79b6f8c738bfdbb64cb99ac863ce42f05
SHA256

515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4
SHA512

946cc5a7d60062ddc597b460f199dd28d35be42ab8092e5ad9a17e3dc31bdcf40ff4c875e5d44fc1896fdec28805edb3729edad36f2a3ae2d81d61f03379df24

Score

10^/10

xpertrat test evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1152-154-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/1152-155-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1624 notepad.exe

pid	process
1624	notepad.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d761f42a4df1938b43282d88e12c741a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	d761f42a4df1938b43282d88e12c741a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d761f42a4df1938b43282d88e12c741a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d761f42a4df1938b43282d88e12c741a.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

d761f42a4df1938b43282d88e12c741a.exed761f42a4df1938b43282d88e12c741a.exe

description	pid	process	target process
PID 1544 set thread context of 1540	1544	d761f42a4df1938b43282d88e12c741a.exe	d761f42a4df1938b43282d88e12c741a.exe
PID 1540 set thread context of 1696	1540	d761f42a4df1938b43282d88e12c741a.exe	iexplore.exe
PID 1540 set thread context of 1152	1540	d761f42a4df1938b43282d88e12c741a.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exed761f42a4df1938b43282d88e12c741a.exed761f42a4df1938b43282d88e12c741a.exe

pid	process
1268	powershell.exe
968	powershell.exe
884	powershell.exe
672	powershell.exe
1928	powershell.exe
1824	powershell.exe
1316	powershell.exe
1716	powershell.exe
1512	powershell.exe
1108	powershell.exe
1516	powershell.exe
1604	powershell.exe
976	powershell.exe
1572	powershell.exe
752	powershell.exe
720	powershell.exe
812	powershell.exe
1868	powershell.exe
1084	powershell.exe
1904	powershell.exe
1544	d761f42a4df1938b43282d88e12c741a.exe
1540	d761f42a4df1938b43282d88e12c741a.exe
1540	d761f42a4df1938b43282d88e12c741a.exe
1540	d761f42a4df1938b43282d88e12c741a.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1544	d761f42a4df1938b43282d88e12c741a.exe
Token: SeDebugPrivilege	1152	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d761f42a4df1938b43282d88e12c741a.exeiexplore.exe

pid process

1540 d761f42a4df1938b43282d88e12c741a.exe
1152 iexplore.exe

pid	process
1540	d761f42a4df1938b43282d88e12c741a.exe
1152	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d761f42a4df1938b43282d88e12c741a.exe

description	pid	process	target process
PID 1544 wrote to memory of 1268	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1268	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1268	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1268	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 968	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 968	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 968	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 968	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 884	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 884	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 884	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 884	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 672	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 672	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 672	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 672	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1928	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1928	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1928	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1928	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1824	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1824	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1824	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1824	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1316	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1316	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1316	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1316	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1716	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1716	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1716	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1716	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1512	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1512	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1512	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1512	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1108	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1108	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1108	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1108	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1516	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1516	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1516	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1516	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1604	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1604	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1604	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1604	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 976	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 976	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 976	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 976	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1572	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1572	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1572	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 1572	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 752	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 752	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 752	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 752	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 720	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 720	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 720	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe
PID 1544 wrote to memory of 720	1544	d761f42a4df1938b43282d88e12c741a.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

d761f42a4df1938b43282d88e12c741a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d761f42a4df1938b43282d88e12c741a.exe

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1540

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
3⤵
PID:1696

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
- Deletes itself
PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
11b9a069409c4e3866d160005ea7f23c

SHA1
1e6ee8c61175ac9a943ff5da9fa938429b0ac709

SHA256
f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49

SHA512
60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/672-72-0x0000000000000000-mapping.dmp

Download
memory/720-123-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/720-120-0x0000000000000000-mapping.dmp

Download
memory/752-117-0x0000000000000000-mapping.dmp

Download
memory/812-129-0x00000000003C2000-0x00000000003C4000-memory.dmp

Filesize
8KB

Download
memory/812-124-0x0000000000000000-mapping.dmp

Download
memory/812-127-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/812-128-0x00000000003C1000-0x00000000003C2000-memory.dmp

Filesize
4KB

Download
memory/884-67-0x0000000000000000-mapping.dmp

Download
memory/884-71-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/968-65-0x00000000022D1000-0x00000000022D2000-memory.dmp

Filesize
4KB

Download
memory/968-66-0x00000000022D2000-0x00000000022D4000-memory.dmp

Filesize
8KB

Download
memory/968-64-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/968-61-0x0000000000000000-mapping.dmp

Download
memory/976-108-0x0000000000000000-mapping.dmp

Download
memory/1084-136-0x0000000000000000-mapping.dmp

Download
memory/1084-139-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1084-140-0x0000000002191000-0x0000000002192000-memory.dmp

Filesize
4KB

Download
memory/1084-141-0x0000000002192000-0x0000000002194000-memory.dmp

Filesize
8KB

Download
memory/1108-96-0x0000000000000000-mapping.dmp

Download
memory/1152-156-0x0000000000730000-0x0000000000883000-memory.dmp

Filesize
1.3MB

Download
memory/1152-155-0x0000000000401364-mapping.dmp

Download
memory/1152-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1268-56-0x0000000000000000-mapping.dmp

Download
memory/1268-60-0x0000000001C82000-0x0000000001C84000-memory.dmp

Filesize
8KB

Download
memory/1268-58-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/1268-59-0x0000000001C81000-0x0000000001C82000-memory.dmp

Filesize
4KB

Download
memory/1316-84-0x0000000000000000-mapping.dmp

Download
memory/1512-93-0x0000000000000000-mapping.dmp

Download
memory/1516-103-0x00000000025D1000-0x00000000025D2000-memory.dmp

Filesize
4KB

Download
memory/1516-104-0x00000000025D2000-0x00000000025D4000-memory.dmp

Filesize
8KB

Download
memory/1516-99-0x0000000000000000-mapping.dmp

Download
memory/1516-102-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1540-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1540-149-0x00000000004010B8-mapping.dmp

Download
memory/1544-146-0x0000000002160000-0x00000000021A6000-memory.dmp

Filesize
280KB

Download
memory/1544-145-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/1544-55-0x0000000074B91000-0x0000000074B93000-memory.dmp

Filesize
8KB

Download
memory/1544-147-0x00000000020A0000-0x00000000020D0000-memory.dmp

Filesize
192KB

Download
memory/1544-53-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1572-114-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1572-116-0x00000000023D2000-0x00000000023D4000-memory.dmp

Filesize
8KB

Download
memory/1572-115-0x00000000023D1000-0x00000000023D2000-memory.dmp

Filesize
4KB

Download
memory/1572-111-0x0000000000000000-mapping.dmp

Download
memory/1604-105-0x0000000000000000-mapping.dmp

Download
memory/1624-159-0x0000000000000000-mapping.dmp

Download
memory/1696-153-0x0000000000401364-mapping.dmp

Download
memory/1716-91-0x0000000002231000-0x0000000002232000-memory.dmp

Filesize
4KB

Download
memory/1716-87-0x0000000000000000-mapping.dmp

Download
memory/1716-92-0x0000000002232000-0x0000000002234000-memory.dmp

Filesize
8KB

Download
memory/1716-90-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1824-81-0x0000000000000000-mapping.dmp

Download
memory/1868-130-0x0000000000000000-mapping.dmp

Download
memory/1868-135-0x0000000002662000-0x0000000002664000-memory.dmp

Filesize
8KB

Download
memory/1868-134-0x0000000002661000-0x0000000002662000-memory.dmp

Filesize
4KB

Download
memory/1868-133-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1904-142-0x0000000000000000-mapping.dmp

Download
memory/1928-80-0x0000000002382000-0x0000000002384000-memory.dmp

Filesize
8KB

Download
memory/1928-78-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1928-79-0x0000000002381000-0x0000000002382000-memory.dmp

Filesize
4KB

Download
memory/1928-75-0x0000000000000000-mapping.dmp

Download