ramnit | e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

Analysis

max time kernel
152s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Size

480KB
MD5

827ff3f64da261509b75022844366de0
SHA1

30ecb63042e3caf1e1b70dca9ea079cf854b7474
SHA256

e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d
SHA512

a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92
SSDEEP

6144:McbELf/Ml/cWdi5pV/JNWOVhMnxjXZwc6Xcz4leC0zqRN:rdOpNX1h6jXN6XcMleC0zg

Score

10^/10

ramnit sality backdoor banker evasion persistence spyware stealer trojan upx worm

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Modifies visibility of file extensions in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Executes dropped EXE 15 IoCs

pid	Process
5060	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9dmgr.exe
1336	WinAlert.exe
436	WinSysApp.exe
3852	WinAlert.exe
2468	Commgr.exe
100	WinSysAppmgr.exe
536	WinAlertmgr.exe
2168	Commgrmgr.exe
4032	WinSysApp.exe
4952	Commgr.exe
4984	Commgr.exe
388	WinSysApp.exe
1980	Commgr.exe
4544	WinSysApp.exe
4456	Commgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4276-136-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral2/memory/4276-137-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral2/memory/5060-139-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4276-142-0x00000000023F0000-0x000000000347E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WinAlert.exe

Loads dropped DLL 4 IoCs

pid	Process
5060	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9dmgr.exe
100	WinSysAppmgr.exe
536	WinAlertmgr.exe
2168	Commgrmgr.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\G:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\L:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\N:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\P:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\I:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\K:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\O:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\Q:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\U:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\Y:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\H:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\R:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\T:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\X:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\Z:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\F:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\J:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\M:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\S:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\V:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened (read-only)	\??\W:	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
784	100	WerFault.exe	83
1496	536	WerFault.exe	84
4288	2168	WerFault.exe	85
3472	100	WerFault.exe	83

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WinAlert.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
Token: SeDebugPrivilege	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 5060	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	78
PID 4276 wrote to memory of 5060	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	78
PID 4276 wrote to memory of 5060	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	78
PID 4276 wrote to memory of 792	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	8
PID 4276 wrote to memory of 800	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	16
PID 4276 wrote to memory of 336	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	10
PID 4276 wrote to memory of 2360	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	40
PID 4276 wrote to memory of 2384	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	74
PID 4276 wrote to memory of 2508	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	72
PID 4276 wrote to memory of 1996	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	66
PID 4276 wrote to memory of 3196	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	65
PID 4276 wrote to memory of 3392	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	64
PID 4276 wrote to memory of 3492	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	44
PID 4276 wrote to memory of 3624	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	45
PID 4276 wrote to memory of 3724	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	63
PID 4276 wrote to memory of 3964	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	62
PID 4276 wrote to memory of 4856	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	47
PID 4276 wrote to memory of 5060	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	78
PID 4276 wrote to memory of 5060	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	78
PID 4276 wrote to memory of 792	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	8
PID 4276 wrote to memory of 800	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	16
PID 4276 wrote to memory of 336	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	10
PID 4276 wrote to memory of 2360	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	40
PID 4276 wrote to memory of 2384	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	74
PID 4276 wrote to memory of 2508	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	72
PID 4276 wrote to memory of 1996	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	66
PID 4276 wrote to memory of 3196	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	65
PID 4276 wrote to memory of 3392	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	64
PID 4276 wrote to memory of 3492	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	44
PID 4276 wrote to memory of 3624	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	45
PID 4276 wrote to memory of 3724	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	63
PID 4276 wrote to memory of 3964	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	62
PID 4276 wrote to memory of 4856	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	47
PID 4276 wrote to memory of 436	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	79
PID 4276 wrote to memory of 436	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	79
PID 4276 wrote to memory of 436	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	79
PID 4276 wrote to memory of 1336	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	82
PID 4276 wrote to memory of 1336	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	82
PID 4276 wrote to memory of 1336	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	82
PID 4276 wrote to memory of 3852	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	81
PID 4276 wrote to memory of 3852	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	81
PID 4276 wrote to memory of 3852	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	81
PID 4276 wrote to memory of 2468	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	80
PID 4276 wrote to memory of 2468	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	80
PID 4276 wrote to memory of 2468	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	80
PID 436 wrote to memory of 100	436	WinSysApp.exe	83
PID 436 wrote to memory of 100	436	WinSysApp.exe	83
PID 436 wrote to memory of 100	436	WinSysApp.exe	83
PID 3852 wrote to memory of 536	3852	WinAlert.exe	84
PID 3852 wrote to memory of 536	3852	WinAlert.exe	84
PID 3852 wrote to memory of 536	3852	WinAlert.exe	84
PID 2468 wrote to memory of 2168	2468	Commgr.exe	85
PID 2468 wrote to memory of 2168	2468	Commgr.exe	85
PID 2468 wrote to memory of 2168	2468	Commgr.exe	85
PID 4276 wrote to memory of 4032	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	86
PID 4276 wrote to memory of 4032	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	86
PID 4276 wrote to memory of 4032	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	86
PID 4276 wrote to memory of 4952	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	87
PID 4276 wrote to memory of 4952	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	87
PID 4276 wrote to memory of 4952	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	87
PID 4276 wrote to memory of 4984	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	88
PID 4276 wrote to memory of 4984	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	88
PID 4276 wrote to memory of 4984	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	88
PID 4276 wrote to memory of 388	4276	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe	90

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe
  "C:\Users\Admin\AppData\Local\Temp\e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Windows security bypass
  - Checks computer location settings
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9dmgr.exe
    C:\Users\Admin\AppData\Local\Temp\e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9dmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5060
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysAppmgr.exe
      C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysAppmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 496
        5⤵
        Program crash
        
        PID:784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 540
        5⤵
        Program crash
        
        PID:3472
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Program Files\Windows Common Files\Commgrmgr.exe
      "C:\Program Files\Windows Common Files\Commgrmgr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 480
        5⤵
        Program crash
        
        PID:4288
- - C:\Program Files\Windows Alerter\WinAlert.exe
    "C:\Program Files\Windows Alerter\WinAlert.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Program Files\Windows Alerter\WinAlertmgr.exe
      "C:\Program Files\Windows Alerter\WinAlertmgr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 480
        5⤵
        Program crash
        
        PID:1496
  - - C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      PID:4456
- - C:\Program Files\Windows Alerter\WinAlert.exe
    "C:\Program Files\Windows Alerter\WinAlert.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1336
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4032
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4952
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4984
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:388
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1980
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4544

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 536 -ip 536
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2168 -ip 2168
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 100 -ip 100
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 100 -ip 100
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 536 -ip 536
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2168 -ip 2168
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Alerter\WinAlertmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\Program Files\Windows Alerter\WinAlertmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\Program Files\Windows Common Files\Commgrmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\Program Files\Windows Common Files\Commgrmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
480KB

MD5
827ff3f64da261509b75022844366de0

SHA1
30ecb63042e3caf1e1b70dca9ea079cf854b7474

SHA256
e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9d

SHA512
a406c946fa751ca2f227f6e1de6ca4764bd242ef76214d9ed091b8721144a830f8794bbc9f23f86dcf4c6cc8d9a2e938c8d7ba2d57400e9edc1e82d0cb2a8d92

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysAppmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysAppmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
1KB

MD5
463c3c665c493bc9603faa5fb5ff2ff3

SHA1
39b2559e7e6f9db23d2440a18ab6b65b215e26f3

SHA256
461b093a7574e64fbe55a58887bbbf3cea52fbc0196e5fab86ac6bfffb6e9ce3

SHA512
10ee7ea03c16df89f7ff8b7a29f82e7127e6a1a63a275bf807951f13a3c1cf08e27e7242ff297395dd3150c6536c7202df1b931f131a92f50bbf3913d4dcad0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9dmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8739e285930709de90c3b9120d4162baff0f06cb60889ffc5b0188a0265fd9dmgr.exe

Filesize
106KB

MD5
7657fcb7d772448a6d8504e4b20168b8

SHA1
84c7201f7e59cb416280fd69a2e7f2e349ec8242

SHA256
54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

SHA512
786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM3577.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM376B.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM3A2A.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM791.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/100-206-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/100-172-0x0000000000460000-0x000000000048A000-memory.dmp

Filesize
168KB

Download
memory/100-173-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/388-194-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/436-208-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/436-152-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/536-184-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/536-183-0x0000000000590000-0x00000000005BA000-memory.dmp

Filesize
168KB

Download
memory/536-205-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/1336-203-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1336-151-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1980-195-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1980-200-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2168-185-0x00000000004A0000-0x00000000004CA000-memory.dmp

Filesize
168KB

Download
memory/2168-204-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/2168-186-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download
memory/2468-192-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2468-171-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3852-153-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3852-209-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4032-180-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4032-197-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4276-137-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/4276-142-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/4276-207-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4276-136-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/4276-132-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4456-202-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4544-201-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4544-196-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4952-193-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4952-181-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4984-210-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4984-182-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5060-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5060-140-0x0000000002230000-0x000000000225A000-memory.dmp

Filesize
168KB

Download
memory/5060-141-0x00000000770F0000-0x0000000077293000-memory.dmp

Filesize
1.6MB

Download