xpertrat | 8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a

General

Target

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Size

2.7MB
MD5

b88f7a11b9f3b4573bc22462dc292606
SHA1

121f600ab2ba4534b3a7f7580cb434007ef81d5c
SHA256

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a
SHA512

0a8935aa8bc7161a485bfeb9da5cab2aa492bc4e992f50fcd31e3a0d5c09c1a4f841749cbb3fedf7e76cf9119549848dc42c20029a7bbb6f355018efb3c0179c

Score

10^/10

xpertrat evasion persistence rat trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0.exe"	iexplore.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe = "0"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3436	4948	WerFault.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
1508	4360	WerFault.exe	iexplore.exe
3324	4360	WerFault.exe	iexplore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

pid	process
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

description	pid	process	target process
PID 4948 set thread context of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 1468 set thread context of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 set thread context of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

pid	process
444	powershell.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
444	powershell.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exepowershell.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2980	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exeiexplore.exe

pid process

1468 8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
2980 iexplore.exe

pid	process
1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
2980	iexplore.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

description	pid	process	target process
PID 4948 wrote to memory of 444	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	powershell.exe
PID 4948 wrote to memory of 444	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	powershell.exe
PID 4948 wrote to memory of 444	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	powershell.exe
PID 4948 wrote to memory of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 4948 wrote to memory of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 4948 wrote to memory of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 4948 wrote to memory of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 4948 wrote to memory of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 4948 wrote to memory of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 4948 wrote to memory of 1468	4948	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 4360	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe
PID 1468 wrote to memory of 2980	1468	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe

C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
"C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe"
1⤵
- Checks computer location settings
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
"C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1468

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
3⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 92
4⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 100
4⤵
- Program crash
PID:3324

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\8ae24ff669ba9e67c0a9617b5057c9fa8605aeceb13ce16883cd47f8f4f4e16a.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 2180
2⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4948 -ip 4948
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4360 -ip 4360
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4360 -ip 4360
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-145-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/444-154-0x0000000007080000-0x000000000708E000-memory.dmp

Filesize
56KB

Download
memory/444-155-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/444-133-0x0000000000000000-mapping.dmp

Download
memory/444-134-0x0000000000A10000-0x0000000000A46000-memory.dmp

Filesize
216KB

Download
memory/444-135-0x0000000004E30000-0x0000000005458000-memory.dmp

Filesize
6.2MB

Download
memory/444-136-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/444-137-0x0000000004C40000-0x0000000004CA6000-memory.dmp

Filesize
408KB

Download
memory/444-138-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/444-153-0x00000000070D0000-0x0000000007166000-memory.dmp

Filesize
600KB

Download
memory/444-156-0x0000000007170000-0x0000000007178000-memory.dmp

Filesize
32KB

Download
memory/444-152-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

Filesize
40KB

Download
memory/444-147-0x0000000006160000-0x0000000006192000-memory.dmp

Filesize
200KB

Download
memory/444-151-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/444-150-0x00000000074E0000-0x0000000007B5A000-memory.dmp

Filesize
6.5MB

Download
memory/444-148-0x000000006F1C0000-0x000000006F20C000-memory.dmp

Filesize
304KB

Download
memory/444-149-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/1468-146-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-139-0x0000000000000000-mapping.dmp

Download
memory/1468-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4948-130-0x00000000004E0000-0x000000000078E000-memory.dmp

Filesize
2.7MB

Download
memory/4948-131-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/4948-132-0x0000000007C70000-0x0000000008214000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads