Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-10-2021 07:22
Static task
static1
Behavioral task
behavioral1
Sample
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
Resource
win7-en-20210920
General
-
Target
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
-
Size
358KB
-
MD5
d952cb0acf14545d0e6da5509db9088d
-
SHA1
9e4c5b31c821cc46f8eba61d65442f0bdbe67b98
-
SHA256
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98
-
SHA512
e66869cc859af82d4ad9db0c877d949905e3f28876e1022f434083e6f26492e3edac72624ce3143ca85446f4bce7ed208e41f846c5bcb13af7343047c7df8ebc
Malware Config
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Signatures
-
XpertRAT Core Payload 37 IoCs
Processes:
resource yara_rule behavioral2/memory/4180-874-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4780-991-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/1076-1076-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4552-1160-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4800-1225-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/2728-1264-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/3780-1266-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/2652-1268-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4996-1270-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/5028-1272-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/5080-1274-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/5104-1276-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4112-1278-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/912-1280-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4828-1282-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4380-1284-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4296-1286-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4332-1288-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4384-1290-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4436-1292-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/3420-1294-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/2624-1296-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/2188-1298-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/3992-1300-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4508-1302-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/1896-1304-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4224-1306-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/2304-1308-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/1592-1310-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/2132-1312-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4244-1314-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4656-1316-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4704-1318-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4724-1320-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4760-1322-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4804-1324-0x0000000000401364-mapping.dmp xpertrat behavioral2/memory/4840-1326-0x0000000000401364-mapping.dmp xpertrat -
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe -
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe -
Program crash 37 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4236 4180 WerFault.exe iexplore.exe 4876 4780 WerFault.exe iexplore.exe 384 1076 WerFault.exe iexplore.exe 4580 4552 WerFault.exe iexplore.exe 4832 4800 WerFault.exe iexplore.exe 3908 2728 WerFault.exe iexplore.exe 3568 3780 WerFault.exe iexplore.exe 3820 2652 WerFault.exe iexplore.exe 5036 4996 WerFault.exe iexplore.exe 5060 5028 WerFault.exe iexplore.exe 5100 5080 WerFault.exe iexplore.exe 1324 5104 WerFault.exe iexplore.exe 4148 4112 WerFault.exe iexplore.exe 992 912 WerFault.exe iexplore.exe 4276 4828 WerFault.exe iexplore.exe 612 4380 WerFault.exe iexplore.exe 4328 4296 WerFault.exe iexplore.exe 4340 4332 WerFault.exe iexplore.exe 4412 4384 WerFault.exe iexplore.exe 2632 4436 WerFault.exe iexplore.exe 2072 3420 WerFault.exe iexplore.exe 2168 2624 WerFault.exe iexplore.exe 4464 2188 WerFault.exe iexplore.exe 4488 3992 WerFault.exe iexplore.exe 4520 4508 WerFault.exe iexplore.exe 4548 1896 WerFault.exe iexplore.exe 2220 4224 WerFault.exe iexplore.exe 1376 2304 WerFault.exe iexplore.exe 1948 1592 WerFault.exe iexplore.exe 1336 2132 WerFault.exe iexplore.exe 4372 4244 WerFault.exe iexplore.exe 4644 4656 WerFault.exe iexplore.exe 4720 4704 WerFault.exe iexplore.exe 4736 4724 WerFault.exe iexplore.exe 4592 4760 WerFault.exe iexplore.exe 4856 4804 WerFault.exe iexplore.exe 3216 4840 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 38 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription pid process target process PID 808 set thread context of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 4104 set thread context of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 2728 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 3780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 2652 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4996 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 5028 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 5080 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 5104 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4112 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 912 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4828 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4380 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4296 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4332 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4384 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4436 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 3420 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 2624 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 2188 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 3992 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4508 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 1896 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4224 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 2304 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 1592 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 2132 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4244 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4656 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4704 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4724 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4760 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4804 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 set thread context of 4840 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exepid process 1204 powershell.exe 1204 powershell.exe 1204 powershell.exe 2588 powershell.exe 2588 powershell.exe 2588 powershell.exe 2168 powershell.exe 2168 powershell.exe 2168 powershell.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 2280 powershell.exe 2280 powershell.exe 2280 powershell.exe 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1204 powershell.exe Token: SeIncreaseQuotaPrivilege 1204 powershell.exe Token: SeSecurityPrivilege 1204 powershell.exe Token: SeTakeOwnershipPrivilege 1204 powershell.exe Token: SeLoadDriverPrivilege 1204 powershell.exe Token: SeSystemProfilePrivilege 1204 powershell.exe Token: SeSystemtimePrivilege 1204 powershell.exe Token: SeProfSingleProcessPrivilege 1204 powershell.exe Token: SeIncBasePriorityPrivilege 1204 powershell.exe Token: SeCreatePagefilePrivilege 1204 powershell.exe Token: SeBackupPrivilege 1204 powershell.exe Token: SeRestorePrivilege 1204 powershell.exe Token: SeShutdownPrivilege 1204 powershell.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeSystemEnvironmentPrivilege 1204 powershell.exe Token: SeRemoteShutdownPrivilege 1204 powershell.exe Token: SeUndockPrivilege 1204 powershell.exe Token: SeManageVolumePrivilege 1204 powershell.exe Token: 33 1204 powershell.exe Token: 34 1204 powershell.exe Token: 35 1204 powershell.exe Token: 36 1204 powershell.exe Token: SeIncreaseQuotaPrivilege 1204 powershell.exe Token: SeSecurityPrivilege 1204 powershell.exe Token: SeTakeOwnershipPrivilege 1204 powershell.exe Token: SeLoadDriverPrivilege 1204 powershell.exe Token: SeSystemProfilePrivilege 1204 powershell.exe Token: SeSystemtimePrivilege 1204 powershell.exe Token: SeProfSingleProcessPrivilege 1204 powershell.exe Token: SeIncBasePriorityPrivilege 1204 powershell.exe Token: SeCreatePagefilePrivilege 1204 powershell.exe Token: SeBackupPrivilege 1204 powershell.exe Token: SeRestorePrivilege 1204 powershell.exe Token: SeShutdownPrivilege 1204 powershell.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeSystemEnvironmentPrivilege 1204 powershell.exe Token: SeRemoteShutdownPrivilege 1204 powershell.exe Token: SeUndockPrivilege 1204 powershell.exe Token: SeManageVolumePrivilege 1204 powershell.exe Token: 33 1204 powershell.exe Token: 34 1204 powershell.exe Token: 35 1204 powershell.exe Token: 36 1204 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeIncreaseQuotaPrivilege 2588 powershell.exe Token: SeSecurityPrivilege 2588 powershell.exe Token: SeTakeOwnershipPrivilege 2588 powershell.exe Token: SeLoadDriverPrivilege 2588 powershell.exe Token: SeSystemProfilePrivilege 2588 powershell.exe Token: SeSystemtimePrivilege 2588 powershell.exe Token: SeProfSingleProcessPrivilege 2588 powershell.exe Token: SeIncBasePriorityPrivilege 2588 powershell.exe Token: SeCreatePagefilePrivilege 2588 powershell.exe Token: SeBackupPrivilege 2588 powershell.exe Token: SeRestorePrivilege 2588 powershell.exe Token: SeShutdownPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeSystemEnvironmentPrivilege 2588 powershell.exe Token: SeRemoteShutdownPrivilege 2588 powershell.exe Token: SeUndockPrivilege 2588 powershell.exe Token: SeManageVolumePrivilege 2588 powershell.exe Token: 33 2588 powershell.exe Token: 34 2588 powershell.exe Token: 35 2588 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exepid process 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription pid process target process PID 808 wrote to memory of 1204 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 1204 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 1204 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2588 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2588 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2588 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2168 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2168 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2168 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 3496 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 3496 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 3496 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2280 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2280 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 2280 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 808 wrote to memory of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 808 wrote to memory of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 808 wrote to memory of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 808 wrote to memory of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 808 wrote to memory of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 808 wrote to memory of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 808 wrote to memory of 4104 808 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4180 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4780 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 1076 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4552 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 4800 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 2728 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 4104 wrote to memory of 2728 4104 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4104 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 244⤵
- Program crash
PID:4236 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 244⤵
- Program crash
PID:4876 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:1076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 244⤵
- Program crash
PID:384 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 244⤵
- Program crash
PID:4580 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 244⤵
- Program crash
PID:4832 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:2728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 244⤵
- Program crash
PID:3908 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:3780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 244⤵
- Program crash
PID:3568 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:2652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 244⤵
- Program crash
PID:3820 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 244⤵
- Program crash
PID:5036 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 244⤵
- Program crash
PID:5060 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 244⤵
- Program crash
PID:5100 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:5104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 244⤵
- Program crash
PID:1324 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 244⤵
- Program crash
PID:4148 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 244⤵
- Program crash
PID:992 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 244⤵
- Program crash
PID:4276 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 244⤵
- Program crash
PID:612 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 244⤵
- Program crash
PID:4328 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 244⤵
- Program crash
PID:4340 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 244⤵
- Program crash
PID:4412 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 244⤵
- Program crash
PID:2632 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:3420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 244⤵
- Program crash
PID:2072 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:2624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 244⤵
- Program crash
PID:2168 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:2188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 244⤵
- Program crash
PID:4464 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:3992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 244⤵
- Program crash
PID:4488 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 244⤵
- Program crash
PID:4520 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:1896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 244⤵
- Program crash
PID:4548 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 244⤵
- Program crash
PID:2220 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:2304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 244⤵
- Program crash
PID:1376 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:1592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 244⤵
- Program crash
PID:1948 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:2132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 244⤵
- Program crash
PID:1336 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 244⤵
- Program crash
PID:4372 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 244⤵
- Program crash
PID:4644 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 244⤵
- Program crash
PID:4720 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 244⤵
- Program crash
PID:4736 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 244⤵
- Program crash
PID:4592 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 244⤵
- Program crash
PID:4856 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 244⤵
- Program crash
PID:3216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a4022a7d2b113226b000be0705680813
SHA1599e22d03201704127a045ca53ffb78f9ea3b6c3
SHA2562557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7
SHA51240ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60
-
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
MD5
6859e824175cd5510a400d8d21726895
SHA1fc5ed8a2d35f06baa5b415cd211637de4dc44ba5
SHA256873821c156ba798515416aac6678de597a7c31f3e4fbec45a1c1787c46b9b603
SHA512cc49a385ee7e439c7510487bcda2f2144a1ad731a8493aca6ad9b245b2b052475fa084d6b032d8b76f66fbbe5df5c7534b8b638f7ea64bd58bbc21e0e96eee35
-
MD5
50eb7475b505935d5d7ad2720e602873
SHA165bee1d9d07d2a74ce088985724228297870ba9a
SHA25668b61ac8c2aaa26c79c1d3b310f61c3111c723cdd478129bef5cfb2d3f0277ef
SHA5124569d6295e4864635067851333eac3dbcb437eb87d9b15b37b84021e0e27c102696c96daff9f36e82937e22491afb6133692328bada85fcb6bae74e921bd302e
-
MD5
4758bfe3f091a42feba6fab1df869683
SHA13bba689b4a526a823d191363e57fd97a5784fcb7
SHA2564894bef3088b5d79570154208e404a066e416d1e7c5d589a7aa42b3b990212f6
SHA512168678865ac373db8b8605e2ec48c7cc3a36dabd7cafb937a773214d3a6359f5bf9661322d304890469de9f59fd3ccf428f5dc942b0053a627b5cc96a13e2184
-
MD5
3ce02f412b5d325335369fc0f44e0efa
SHA1cba5b00763cd1c3a1e4c2c8a736f5e7c6f17b575
SHA256602bd6bc1b8f901073129068d5956193dd1848cb062a1e5319fd5438e8e46f12
SHA5120deb1029f8584776ff96931c70a551e9b8b23116cecb7a62f1d5c7ed132a1d354f78f75b039e3a4fd04d3febabcc8513df083b32563c235b9cbbff7956678a48