0a35b0e0112fc3ffb7fb29e2f7afa092ae3b5932ff8e79c7a9b5365ad5e08013

General

Target

SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe
Size

512KB
MD5

bfa6a35755791e6046c304ac582770c7
SHA1

6f921e0412bc2506ef0c1b65f0f086da4a161ca5
SHA256

0a35b0e0112fc3ffb7fb29e2f7afa092ae3b5932ff8e79c7a9b5365ad5e08013
SHA512

fd7271fc40f5c1f25e8c30e05612042c2b200ac1635b079477d1b3cb3dd0a4c3270f425307933cce0b591ab2752a7d6450d15663ea62b3b8da991149ee7c8c75

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3960	4624	WerFault.exe	iexplore.exe
2000	4312	WerFault.exe	iexplore.exe
3376	472	WerFault.exe	iexplore.exe
548	3124	WerFault.exe	iexplore.exe
4000	3328	WerFault.exe	iexplore.exe
3932	4472	WerFault.exe	iexplore.exe
1276	1392	WerFault.exe	iexplore.exe
5064	1952	WerFault.exe	iexplore.exe
3388	3120	WerFault.exe	iexplore.exe
1888	4344	WerFault.exe	iexplore.exe
4188	3660	WerFault.exe	iexplore.exe
5088	3660	WerFault.exe	iexplore.exe
3648	5048	WerFault.exe	iexplore.exe
4780	1004	WerFault.exe	iexplore.exe
1364	208	WerFault.exe	iexplore.exe
1612	1672	WerFault.exe	iexplore.exe
1764	624	WerFault.exe	iexplore.exe
3884	2348	WerFault.exe	iexplore.exe
3140	1672	WerFault.exe	iexplore.exe
3900	4240	WerFault.exe	iexplore.exe
4260	3916	WerFault.exe	iexplore.exe
396	1348	WerFault.exe	iexplore.exe
4184	440	WerFault.exe	iexplore.exe
4444	4104	WerFault.exe	iexplore.exe
3180	1604	WerFault.exe	iexplore.exe
1168	2384	WerFault.exe	iexplore.exe
2716	2496	WerFault.exe	iexplore.exe
3020	2172	WerFault.exe	iexplore.exe
4924	4076	WerFault.exe	iexplore.exe
4956	1188	WerFault.exe	iexplore.exe
2140	3960	WerFault.exe	iexplore.exe
4368	1340	WerFault.exe	iexplore.exe
2460	2128	WerFault.exe	iexplore.exe
4808	2152	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 33 IoCs

Processes:

SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exeMSBuild.exe

description	pid	process	target process
PID 1392 set thread context of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1804 set thread context of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1392	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1952	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 3120	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 4344	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 3660	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 5048	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1004	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 208	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1672	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 624	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 2348	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 4240	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 3916	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1348	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 440	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 4104	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1604	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 2384	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 2496	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 2172	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 4076	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1188	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 3960	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 1340	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 2128	1804	MSBuild.exe	iexplore.exe
PID 1804 set thread context of 2152	1804	MSBuild.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeMSBuild.exe

pid	process
2460	powershell.exe
1804	MSBuild.exe
1804	MSBuild.exe
2460	powershell.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe
1804	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2460 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1804 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2460	powershell.exe

pid	process
1804	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exeMSBuild.exe

description	pid	process	target process
PID 1392 wrote to memory of 2460	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	powershell.exe
PID 1392 wrote to memory of 2460	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	powershell.exe
PID 1392 wrote to memory of 2460	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	powershell.exe
PID 1392 wrote to memory of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1392 wrote to memory of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1392 wrote to memory of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1392 wrote to memory of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1392 wrote to memory of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1392 wrote to memory of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1392 wrote to memory of 1804	1392	SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe	MSBuild.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4624	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4312	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3124	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 3328	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 4472	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 1392	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 1392	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 1392	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 1392	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 1392	1804	MSBuild.exe	iexplore.exe
PID 1804 wrote to memory of 1392	1804	MSBuild.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 84
4⤵
- Program crash
PID:3960

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 84
4⤵
- Program crash
PID:2000

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 84
4⤵
- Program crash
PID:3376

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 84
4⤵
- Program crash
PID:548

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 84
4⤵
- Program crash
PID:4000

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 84
4⤵
- Program crash
PID:3932

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 192
4⤵
- Program crash
PID:1276

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 84
4⤵
- Program crash
PID:5064

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 84
4⤵
- Program crash
PID:3388

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 84
4⤵
- Program crash
PID:1888

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 92
4⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 100
4⤵
- Program crash
PID:5088

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 84
4⤵
- Program crash
PID:3648

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 84
4⤵
- Program crash
PID:4780

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 84
4⤵
- Program crash
PID:1364

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 12
4⤵
- Program crash
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 32
4⤵
- Program crash
PID:3140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 84
4⤵
- Program crash
PID:1764

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 84
4⤵
- Program crash
PID:3884

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 84
4⤵
- Program crash
PID:3900

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 84
4⤵
- Program crash
PID:4260

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 76
4⤵
- Program crash
PID:396

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 84
4⤵
- Program crash
PID:4184

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 84
4⤵
- Program crash
PID:4444

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 84
4⤵
- Program crash
PID:3180

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 84
4⤵
- Program crash
PID:1168

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 84
4⤵
- Program crash
PID:2716

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 84
4⤵
- Program crash
PID:3020

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 84
4⤵
- Program crash
PID:4924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 84
4⤵
- Program crash
PID:4956

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 84
4⤵
- Program crash
PID:2140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 84
4⤵
- Program crash
PID:4368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 84
4⤵
- Program crash
PID:2460

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 84
4⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4624 -ip 4624
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4312 -ip 4312
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 472 -ip 472
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3124 -ip 3124
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3328 -ip 3328
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4472 -ip 4472
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1392 -ip 1392
1⤵
PID:360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1952 -ip 1952
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3120 -ip 3120
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4344 -ip 4344
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3660 -ip 3660
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3660 -ip 3660
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5048 -ip 5048
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1004 -ip 1004
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 208 -ip 208
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1672 -ip 1672
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 624 -ip 624
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2348 -ip 2348
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1672 -ip 1672
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4240 -ip 4240
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3916 -ip 3916
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1348 -ip 1348
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 440 -ip 440
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4104 -ip 4104
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1604 -ip 1604
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2384 -ip 2384
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2496 -ip 2496
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2172 -ip 2172
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4076 -ip 4076
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1188 -ip 1188
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3960 -ip 3960
1⤵
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1340 -ip 1340
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2128 -ip 2128
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2152 -ip 2152
1⤵
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1392-131-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/1392-132-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/1392-133-0x00000000059C0000-0x0000000005A5C000-memory.dmp

Filesize
624KB

Download
memory/1392-134-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/1392-135-0x0000000008060000-0x00000000080C6000-memory.dmp

Filesize
408KB

Download
memory/1392-130-0x0000000000E10000-0x0000000000E96000-memory.dmp

Filesize
536KB

Download
memory/1804-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1804-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1804-137-0x0000000000000000-mapping.dmp

Download
memory/1804-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2460-145-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/2460-150-0x0000000070A70000-0x0000000070ABC000-memory.dmp

Filesize
304KB

Download
memory/2460-140-0x0000000004BE0000-0x0000000004C16000-memory.dmp

Filesize
216KB

Download
memory/2460-146-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/2460-136-0x0000000000000000-mapping.dmp

Download
memory/2460-148-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/2460-149-0x0000000006780000-0x00000000067B2000-memory.dmp

Filesize
200KB

Download
memory/2460-144-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/2460-151-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/2460-152-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/2460-153-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/2460-154-0x0000000004F10000-0x0000000004F1A000-memory.dmp

Filesize
40KB

Download
memory/2460-155-0x0000000007750000-0x00000000077E6000-memory.dmp

Filesize
600KB

Download
memory/2460-156-0x0000000007710000-0x000000000771E000-memory.dmp

Filesize
56KB

Download
memory/2460-157-0x0000000007810000-0x000000000782A000-memory.dmp

Filesize
104KB

Download
memory/2460-158-0x00000000077F0000-0x00000000077F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads