xpertrat | 3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa

General

Target

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
Size

1.4MB
MD5

4ef7b35bd9151fc5538c06ae79a0e2fc
SHA1

c45198609f71e795ccc9e5a2ec1ad3162141da76
SHA256

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa
SHA512

aef9ad91b889f4c615dc278ebedc0017a32b3024fef812ae90929dac7c83a0cb4a41fcb26d4bee2588ffebf50745cdd9174a73e44b83db99fefccf6e9b18615d

Score

10^/10

xpertrat test evasion rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-1636-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2712-1638-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2276-1640-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/4068-1642-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3364-1644-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2812-1646-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1792-1648-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1500-1650-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3820-1652-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2164-1654-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2700-1656-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3256-1658-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2340-1660-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2364-1662-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2360-1664-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3776-1666-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/900-1668-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2472-1670-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2688-1672-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2212-1674-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1800-1676-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/4072-1678-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2248-1680-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1296-1682-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2720-1684-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3368-1686-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3888-1688-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1428-1690-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/2676-1692-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3556-1694-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/3428-1696-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1236-1698-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1804-1700-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/432-1702-0x0000000000401364-mapping.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3556	2656	WerFault.exe	iexplore.exe
516	2712	WerFault.exe	iexplore.exe
2616	2276	WerFault.exe	iexplore.exe
8	4068	WerFault.exe	iexplore.exe
2212	3364	WerFault.exe	iexplore.exe
3924	2812	WerFault.exe	iexplore.exe
1640	1792	WerFault.exe	iexplore.exe
1016	1500	WerFault.exe	iexplore.exe
1336	3820	WerFault.exe	iexplore.exe
3144	2164	WerFault.exe	iexplore.exe
3132	2700	WerFault.exe	iexplore.exe
960	3256	WerFault.exe	iexplore.exe
3852	2340	WerFault.exe	iexplore.exe
2140	2364	WerFault.exe	iexplore.exe
2672	2360	WerFault.exe	iexplore.exe
4080	3776	WerFault.exe	iexplore.exe
3320	900	WerFault.exe	iexplore.exe
4064	2472	WerFault.exe	iexplore.exe
1616	2688	WerFault.exe	iexplore.exe
4036	2212	WerFault.exe	iexplore.exe
1796	1800	WerFault.exe	iexplore.exe
864	4072	WerFault.exe	iexplore.exe
2384	2248	WerFault.exe	iexplore.exe
2760	1296	WerFault.exe	iexplore.exe
1000	2720	WerFault.exe	iexplore.exe
3852	3368	WerFault.exe	iexplore.exe
392	3888	WerFault.exe	iexplore.exe
1576	1428	WerFault.exe	iexplore.exe
3168	2676	WerFault.exe	iexplore.exe
2936	3556	WerFault.exe	iexplore.exe
4028	3428	WerFault.exe	iexplore.exe
2824	1236	WerFault.exe	iexplore.exe
1796	1804	WerFault.exe	iexplore.exe
812	432	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 35 IoCs

Processes:

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

description	pid	process	target process
PID 1576 set thread context of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 3312 set thread context of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 1792	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 1500	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3820	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2164	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2700	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3256	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2340	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2360	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3776	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 900	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2472	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2688	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2212	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 1800	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 4072	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2248	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 1296	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2720	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3368	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3888	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 1428	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 2676	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3556	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 3428	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 1236	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 1804	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 set thread context of 432	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

pid	process
2420	powershell.exe
2420	powershell.exe
2420	powershell.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeTakeOwnershipPrivilege	2420	powershell.exe
Token: SeLoadDriverPrivilege	2420	powershell.exe
Token: SeSystemProfilePrivilege	2420	powershell.exe
Token: SeSystemtimePrivilege	2420	powershell.exe
Token: SeProfSingleProcessPrivilege	2420	powershell.exe
Token: SeIncBasePriorityPrivilege	2420	powershell.exe
Token: SeCreatePagefilePrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeRestorePrivilege	2420	powershell.exe
Token: SeShutdownPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeSystemEnvironmentPrivilege	2420	powershell.exe
Token: SeRemoteShutdownPrivilege	2420	powershell.exe
Token: SeUndockPrivilege	2420	powershell.exe
Token: SeManageVolumePrivilege	2420	powershell.exe
Token: 33	2420	powershell.exe
Token: 34	2420	powershell.exe
Token: 35	2420	powershell.exe
Token: 36	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeTakeOwnershipPrivilege	2420	powershell.exe
Token: SeLoadDriverPrivilege	2420	powershell.exe
Token: SeSystemProfilePrivilege	2420	powershell.exe
Token: SeSystemtimePrivilege	2420	powershell.exe
Token: SeProfSingleProcessPrivilege	2420	powershell.exe
Token: SeIncBasePriorityPrivilege	2420	powershell.exe
Token: SeCreatePagefilePrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeRestorePrivilege	2420	powershell.exe
Token: SeShutdownPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeSystemEnvironmentPrivilege	2420	powershell.exe
Token: SeRemoteShutdownPrivilege	2420	powershell.exe
Token: SeUndockPrivilege	2420	powershell.exe
Token: SeManageVolumePrivilege	2420	powershell.exe
Token: 33	2420	powershell.exe
Token: 34	2420	powershell.exe
Token: 35	2420	powershell.exe
Token: 36	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeTakeOwnershipPrivilege	2420	powershell.exe
Token: SeLoadDriverPrivilege	2420	powershell.exe
Token: SeSystemProfilePrivilege	2420	powershell.exe
Token: SeSystemtimePrivilege	2420	powershell.exe
Token: SeProfSingleProcessPrivilege	2420	powershell.exe
Token: SeIncBasePriorityPrivilege	2420	powershell.exe
Token: SeCreatePagefilePrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeRestorePrivilege	2420	powershell.exe
Token: SeShutdownPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeSystemEnvironmentPrivilege	2420	powershell.exe
Token: SeRemoteShutdownPrivilege	2420	powershell.exe
Token: SeUndockPrivilege	2420	powershell.exe
Token: SeManageVolumePrivilege	2420	powershell.exe
Token: 33	2420	powershell.exe
Token: 34	2420	powershell.exe
Token: 35	2420	powershell.exe
Token: 36	2420	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

pid process

3312 3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

iexplore.exe

pid process

2164 iexplore.exe
2164 iexplore.exe

pid	process
3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

pid	process
2164	iexplore.exe
2164	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

description	pid	process	target process
PID 1576 wrote to memory of 2420	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 2420	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 2420	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 1124	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 1124	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 1124	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 3852	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 3852	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 3852	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	powershell.exe
PID 1576 wrote to memory of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312	1576	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2656	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2712	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2276	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 4068	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 3364	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe
PID 3312 wrote to memory of 2812	3312	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
"C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3312

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 24
4⤵
- Program crash
PID:3556

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 24
4⤵
- Program crash
PID:516

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 24
4⤵
- Program crash
PID:2616

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 24
4⤵
- Program crash
PID:8

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 24
4⤵
- Program crash
PID:2212

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 24
4⤵
- Program crash
PID:3924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 24
4⤵
- Program crash
PID:1640

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 24
4⤵
- Program crash
PID:1016

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 24
4⤵
- Program crash
PID:1336

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
- Suspicious use of UnmapMainImage
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 24
4⤵
- Program crash
PID:3144

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 24
4⤵
- Program crash
PID:3132

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 24
4⤵
- Program crash
PID:960

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 24
4⤵
- Program crash
PID:3852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 24
4⤵
- Program crash
PID:2140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 24
4⤵
- Program crash
PID:2672

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 24
4⤵
- Program crash
PID:4080

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 24
4⤵
- Program crash
PID:3320

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 24
4⤵
- Program crash
PID:4064

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 24
4⤵
- Program crash
PID:1616

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 24
4⤵
- Program crash
PID:4036

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 24
4⤵
- Program crash
PID:1796

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 24
4⤵
- Program crash
PID:864

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 24
4⤵
- Program crash
PID:2384

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 24
4⤵
- Program crash
PID:2760

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 24
4⤵
- Program crash
PID:1000

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 24
4⤵
- Program crash
PID:3852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 24
4⤵
- Program crash
PID:392

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 24
4⤵
- Program crash
PID:1576

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 24
4⤵
- Program crash
PID:3168

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 24
4⤵
- Program crash
PID:2936

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 24
4⤵
- Program crash
PID:4028

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 24
4⤵
- Program crash
PID:2824

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 24
4⤵
- Program crash
PID:1796

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
3⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 24
4⤵
- Program crash
PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1712dab0a1bf4e9e3ff666b9c431550d

SHA1
34d1dec8fa95f62c72cb3f92a22c13ad9eece10f

SHA256
7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97

SHA512
6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1c33ff599b382b705675229c91fc2f99

SHA1
c20086746c14c5d57be9a3df47bd75fa77abe7e0

SHA256
d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a

SHA512
5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
174998e1d4c4765e4e6855f33ad0ec21

SHA1
f64f74a0be86a9122f0ef0c6697f06f72e23b3b4

SHA256
0f3c5c286ddc1779fde2d29af58209a18cc163815ebaf8e2ce347c06a8af836e

SHA512
7bcb948ac7eebaadbb6bb34728bc8c0b7155cfac6f72adff8a77ba7353afeaf970ef0669354aeec64ef5893309b92947b26005d92a59edddb8f6443e751be534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5889af6ab57831d6774cf82ddc7c2364

SHA1
fd252932673d10a7ac6c0b0750250697bd507f79

SHA256
445d4ab7e578a1b437c697ecfb7a93bc1887d2cfff3c0de62e04c8ccb5b04a5c

SHA512
f1e18143b3e5c4d5d03f6d69d77fa4337305271e845a24820ae54c61066787b061b7e782ecbd3878f4933fec793cffe10e325a3b0aa8371e5812764104826852

Download Submit
memory/432-1702-0x0000000000401364-mapping.dmp

Download
memory/900-1668-0x0000000000401364-mapping.dmp

Download
memory/1124-676-0x0000000000000000-mapping.dmp

Download
memory/1124-690-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1124-691-0x0000000001092000-0x0000000001093000-memory.dmp

Filesize
4KB

Download
memory/1124-803-0x0000000001093000-0x0000000001094000-memory.dmp

Filesize
4KB

Download
memory/1124-805-0x0000000001094000-0x0000000001096000-memory.dmp

Filesize
8KB

Download
memory/1124-1038-0x0000000001096000-0x0000000001097000-memory.dmp

Filesize
4KB

Download
memory/1236-1698-0x0000000000401364-mapping.dmp

Download
memory/1296-1682-0x0000000000401364-mapping.dmp

Download
memory/1428-1690-0x0000000000401364-mapping.dmp

Download
memory/1500-1650-0x0000000000401364-mapping.dmp

Download
memory/1576-1632-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1576-115-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1792-1648-0x0000000000401364-mapping.dmp

Download
memory/1800-1676-0x0000000000401364-mapping.dmp

Download
memory/1804-1700-0x0000000000401364-mapping.dmp

Download
memory/2164-1654-0x0000000000401364-mapping.dmp

Download
memory/2212-1674-0x0000000000401364-mapping.dmp

Download
memory/2248-1680-0x0000000000401364-mapping.dmp

Download
memory/2276-1640-0x0000000000401364-mapping.dmp

Download
memory/2340-1660-0x0000000000401364-mapping.dmp

Download
memory/2360-1664-0x0000000000401364-mapping.dmp

Download
memory/2364-1662-0x0000000000401364-mapping.dmp

Download
memory/2420-380-0x000000000AEA0000-0x000000000AEA1000-memory.dmp

Filesize
4KB

Download
memory/2420-125-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/2420-569-0x0000000008530000-0x0000000008531000-memory.dmp

Filesize
4KB

Download
memory/2420-551-0x000000000AB20000-0x000000000AB21000-memory.dmp

Filesize
4KB

Download
memory/2420-468-0x0000000009130000-0x0000000009131000-memory.dmp

Filesize
4KB

Download
memory/2420-392-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/2420-381-0x00000000097F0000-0x00000000097F1000-memory.dmp

Filesize
4KB

Download
memory/2420-117-0x0000000000000000-mapping.dmp

Download
memory/2420-221-0x0000000004A23000-0x0000000004A24000-memory.dmp

Filesize
4KB

Download
memory/2420-120-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/2420-121-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/2420-122-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/2420-123-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/2420-124-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/2420-612-0x0000000004A26000-0x0000000004A28000-memory.dmp

Filesize
8KB

Download
memory/2420-126-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2420-220-0x000000007EF90000-0x000000007EF91000-memory.dmp

Filesize
4KB

Download
memory/2420-127-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/2420-128-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/2420-151-0x00000000096F0000-0x00000000096F1000-memory.dmp

Filesize
4KB

Download
memory/2420-129-0x00000000085C0000-0x00000000085C1000-memory.dmp

Filesize
4KB

Download
memory/2420-130-0x0000000008480000-0x0000000008481000-memory.dmp

Filesize
4KB

Download
memory/2420-138-0x00000000091B0000-0x00000000091E3000-memory.dmp

Filesize
204KB

Download
memory/2420-150-0x0000000009520000-0x0000000009521000-memory.dmp

Filesize
4KB

Download
memory/2420-145-0x0000000009190000-0x0000000009191000-memory.dmp

Filesize
4KB

Download
memory/2472-1670-0x0000000000401364-mapping.dmp

Download
memory/2656-1636-0x0000000000401364-mapping.dmp

Download
memory/2676-1692-0x0000000000401364-mapping.dmp

Download
memory/2688-1672-0x0000000000401364-mapping.dmp

Download
memory/2700-1656-0x0000000000401364-mapping.dmp

Download
memory/2712-1638-0x0000000000401364-mapping.dmp

Download
memory/2720-1684-0x0000000000401364-mapping.dmp

Download
memory/2812-1646-0x0000000000401364-mapping.dmp

Download
memory/3256-1658-0x0000000000401364-mapping.dmp

Download
memory/3312-1630-0x00000000004010B8-mapping.dmp

Download
memory/3312-1633-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3364-1644-0x0000000000401364-mapping.dmp

Download
memory/3368-1686-0x0000000000401364-mapping.dmp

Download
memory/3428-1696-0x0000000000401364-mapping.dmp

Download
memory/3556-1694-0x0000000000401364-mapping.dmp

Download
memory/3776-1666-0x0000000000401364-mapping.dmp

Download
memory/3820-1652-0x0000000000401364-mapping.dmp

Download
memory/3852-1529-0x0000000007396000-0x0000000007397000-memory.dmp

Filesize
4KB

Download
memory/3852-1246-0x0000000007393000-0x0000000007394000-memory.dmp

Filesize
4KB

Download
memory/3852-1247-0x0000000007394000-0x0000000007396000-memory.dmp

Filesize
8KB

Download
memory/3852-1166-0x0000000007392000-0x0000000007393000-memory.dmp

Filesize
4KB

Download
memory/3852-1165-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3852-1152-0x0000000000000000-mapping.dmp

Download
memory/3888-1688-0x0000000000401364-mapping.dmp

Download
memory/4068-1642-0x0000000000401364-mapping.dmp

Download
memory/4072-1678-0x0000000000401364-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads