Malware Analysis Report

2024-10-19 07:37

Sample ID 211001-h7ev2abbf9
Target fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin
SHA256 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98
Tags
xpertrat test evasion rat trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98

Threat Level: Known bad

The file fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion rat trojan persistence

XpertRAT

Windows security bypass

UAC bypass

XpertRAT Core Payload

Adds policy Run key to start application

Deletes itself

Windows security modification

Program crash

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-01 07:22

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-01 07:22

Reported

2021-10-01 07:25

Platform

win10v20210408

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 808 set thread context of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 4104 set thread context of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 3780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4996 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 5080 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 5104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4112 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 912 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4828 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4380 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4296 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4332 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4384 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 3420 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 2188 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4508 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 1896 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4224 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 2304 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 1592 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4244 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4656 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4704 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4724 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4760 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4804 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 set thread context of 4840 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 808 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 808 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 808 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 808 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 808 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 808 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 808 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4104 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

"C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 24

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp

Files

memory/808-114-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/808-116-0x0000000005680000-0x0000000005681000-memory.dmp

memory/808-117-0x0000000005220000-0x0000000005221000-memory.dmp

memory/808-118-0x0000000005190000-0x0000000005191000-memory.dmp

memory/808-119-0x0000000005160000-0x0000000005161000-memory.dmp

memory/1204-120-0x0000000000000000-mapping.dmp

memory/1204-123-0x0000000006E50000-0x0000000006E51000-memory.dmp

memory/1204-124-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

memory/1204-125-0x0000000007490000-0x0000000007491000-memory.dmp

memory/1204-126-0x0000000007B00000-0x0000000007B01000-memory.dmp

memory/1204-127-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

memory/1204-128-0x0000000006E52000-0x0000000006E53000-memory.dmp

memory/1204-129-0x0000000007E60000-0x0000000007E61000-memory.dmp

memory/1204-130-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

memory/1204-131-0x0000000007E30000-0x0000000007E31000-memory.dmp

memory/1204-132-0x00000000087D0000-0x00000000087D1000-memory.dmp

memory/1204-133-0x00000000085A0000-0x00000000085A1000-memory.dmp

memory/1204-138-0x0000000009330000-0x0000000009331000-memory.dmp

memory/1204-139-0x0000000009250000-0x0000000009251000-memory.dmp

memory/1204-140-0x00000000092C0000-0x00000000092C1000-memory.dmp

memory/2588-142-0x0000000000000000-mapping.dmp

memory/2588-150-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

memory/2588-152-0x0000000006AE2000-0x0000000006AE3000-memory.dmp

memory/1204-154-0x0000000006E53000-0x0000000006E54000-memory.dmp

memory/1204-162-0x000000000A6D0000-0x000000000A6D1000-memory.dmp

memory/2588-207-0x0000000006AE3000-0x0000000006AE4000-memory.dmp

memory/2168-260-0x0000000000000000-mapping.dmp

memory/2168-269-0x0000000004480000-0x0000000004481000-memory.dmp

memory/2168-271-0x0000000004482000-0x0000000004483000-memory.dmp

memory/2168-347-0x0000000004483000-0x0000000004484000-memory.dmp

memory/3496-370-0x0000000000000000-mapping.dmp

memory/3496-409-0x00000000074B0000-0x00000000074B1000-memory.dmp

memory/3496-414-0x00000000074B2000-0x00000000074B3000-memory.dmp

memory/3496-493-0x00000000074B3000-0x00000000074B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA1 75c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA256 91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512 db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

memory/2280-533-0x0000000000000000-mapping.dmp

memory/2280-587-0x00000000067E0000-0x00000000067E1000-memory.dmp

memory/2280-589-0x00000000067E2000-0x00000000067E3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA1 75c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA256 91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512 db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

memory/2280-687-0x00000000067E3000-0x00000000067E4000-memory.dmp

memory/2280-688-0x00000000067E4000-0x00000000067E6000-memory.dmp

memory/4104-870-0x00000000004010B8-mapping.dmp

memory/4180-874-0x0000000000401364-mapping.dmp

memory/4104-907-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4780-991-0x0000000000401364-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA1 75c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA256 91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512 db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6859e824175cd5510a400d8d21726895
SHA1 fc5ed8a2d35f06baa5b415cd211637de4dc44ba5
SHA256 873821c156ba798515416aac6678de597a7c31f3e4fbec45a1c1787c46b9b603
SHA512 cc49a385ee7e439c7510487bcda2f2144a1ad731a8493aca6ad9b245b2b052475fa084d6b032d8b76f66fbbe5df5c7534b8b638f7ea64bd58bbc21e0e96eee35

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a4022a7d2b113226b000be0705680813
SHA1 599e22d03201704127a045ca53ffb78f9ea3b6c3
SHA256 2557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7
SHA512 40ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60

memory/1076-1076-0x0000000000401364-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50eb7475b505935d5d7ad2720e602873
SHA1 65bee1d9d07d2a74ce088985724228297870ba9a
SHA256 68b61ac8c2aaa26c79c1d3b310f61c3111c723cdd478129bef5cfb2d3f0277ef
SHA512 4569d6295e4864635067851333eac3dbcb437eb87d9b15b37b84021e0e27c102696c96daff9f36e82937e22491afb6133692328bada85fcb6bae74e921bd302e

memory/4552-1160-0x0000000000401364-mapping.dmp

memory/4800-1225-0x0000000000401364-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4758bfe3f091a42feba6fab1df869683
SHA1 3bba689b4a526a823d191363e57fd97a5784fcb7
SHA256 4894bef3088b5d79570154208e404a066e416d1e7c5d589a7aa42b3b990212f6
SHA512 168678865ac373db8b8605e2ec48c7cc3a36dabd7cafb937a773214d3a6359f5bf9661322d304890469de9f59fd3ccf428f5dc942b0053a627b5cc96a13e2184

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ce02f412b5d325335369fc0f44e0efa
SHA1 cba5b00763cd1c3a1e4c2c8a736f5e7c6f17b575
SHA256 602bd6bc1b8f901073129068d5956193dd1848cb062a1e5319fd5438e8e46f12
SHA512 0deb1029f8584776ff96931c70a551e9b8b23116cecb7a62f1d5c7ed132a1d354f78f75b039e3a4fd04d3febabcc8513df083b32563c235b9cbbff7956678a48

memory/2728-1264-0x0000000000401364-mapping.dmp

memory/3780-1266-0x0000000000401364-mapping.dmp

memory/2652-1268-0x0000000000401364-mapping.dmp

memory/4996-1270-0x0000000000401364-mapping.dmp

memory/5028-1272-0x0000000000401364-mapping.dmp

memory/5080-1274-0x0000000000401364-mapping.dmp

memory/5104-1276-0x0000000000401364-mapping.dmp

memory/4112-1278-0x0000000000401364-mapping.dmp

memory/912-1280-0x0000000000401364-mapping.dmp

memory/4828-1282-0x0000000000401364-mapping.dmp

memory/4380-1284-0x0000000000401364-mapping.dmp

memory/4296-1286-0x0000000000401364-mapping.dmp

memory/4332-1288-0x0000000000401364-mapping.dmp

memory/4384-1290-0x0000000000401364-mapping.dmp

memory/4436-1292-0x0000000000401364-mapping.dmp

memory/3420-1294-0x0000000000401364-mapping.dmp

memory/2624-1296-0x0000000000401364-mapping.dmp

memory/2188-1298-0x0000000000401364-mapping.dmp

memory/3992-1300-0x0000000000401364-mapping.dmp

memory/4508-1302-0x0000000000401364-mapping.dmp

memory/1896-1304-0x0000000000401364-mapping.dmp

memory/4224-1306-0x0000000000401364-mapping.dmp

memory/2304-1308-0x0000000000401364-mapping.dmp

memory/1592-1310-0x0000000000401364-mapping.dmp

memory/2132-1312-0x0000000000401364-mapping.dmp

memory/4244-1314-0x0000000000401364-mapping.dmp

memory/4656-1316-0x0000000000401364-mapping.dmp

memory/4704-1318-0x0000000000401364-mapping.dmp

memory/4724-1320-0x0000000000401364-mapping.dmp

memory/4760-1322-0x0000000000401364-mapping.dmp

memory/4804-1324-0x0000000000401364-mapping.dmp

memory/4840-1326-0x0000000000401364-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-01 07:22

Reported

2021-10-01 07:25

Platform

win7-en-20210920

Max time kernel

149s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 1544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 744 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 516 wrote to memory of 672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 516 wrote to memory of 672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 516 wrote to memory of 672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 516 wrote to memory of 672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 516 wrote to memory of 672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

"C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 dns.google udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/1544-53-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1544-55-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/1700-56-0x0000000000000000-mapping.dmp

memory/1700-57-0x0000000074B91000-0x0000000074B93000-memory.dmp

memory/1700-58-0x00000000023C0000-0x000000000300A000-memory.dmp

memory/320-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 51664d5229299fe0d5e213a4e9368bf9
SHA1 2c17f962e0c623267936bb08a7a0d88b35809ceb
SHA256 34190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA512 1b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa

memory/892-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 51664d5229299fe0d5e213a4e9368bf9
SHA1 2c17f962e0c623267936bb08a7a0d88b35809ceb
SHA256 34190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA512 1b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa

memory/892-66-0x0000000002441000-0x0000000002442000-memory.dmp

memory/892-65-0x0000000002440000-0x0000000002441000-memory.dmp

memory/892-67-0x0000000002442000-0x0000000002444000-memory.dmp

memory/1084-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 51664d5229299fe0d5e213a4e9368bf9
SHA1 2c17f962e0c623267936bb08a7a0d88b35809ceb
SHA256 34190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA512 1b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa

memory/1084-71-0x0000000001D90000-0x0000000001D91000-memory.dmp

memory/1084-72-0x0000000001D91000-0x0000000001D92000-memory.dmp

memory/1084-73-0x0000000001D92000-0x0000000001D94000-memory.dmp

memory/1836-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 51664d5229299fe0d5e213a4e9368bf9
SHA1 2c17f962e0c623267936bb08a7a0d88b35809ceb
SHA256 34190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA512 1b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa

memory/1836-77-0x00000000023A0000-0x0000000002FEA000-memory.dmp

memory/1836-78-0x00000000023A0000-0x0000000002FEA000-memory.dmp

memory/1544-79-0x0000000005880000-0x00000000058D4000-memory.dmp

memory/1544-80-0x0000000000A80000-0x0000000000AAA000-memory.dmp

memory/744-81-0x0000000000400000-0x000000000042C000-memory.dmp

memory/744-82-0x00000000004010B8-mapping.dmp

memory/516-85-0x0000000000400000-0x0000000000443000-memory.dmp

memory/516-86-0x0000000000401364-mapping.dmp

memory/516-87-0x0000000000660000-0x00000000007B3000-memory.dmp

memory/672-90-0x0000000000000000-mapping.dmp