xpertrat | 27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core payload 1 IoCs

resource	yara_rule
behavioral1/memory/1528-19-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Program crash 37 IoCs

pid	pid_target	Process	procid_target
3432	1528	WerFault.exe	91
4780	684	WerFault.exe	94
4792	3588	WerFault.exe	97
1120	1532	WerFault.exe	100
1708	4844	WerFault.exe	103
4384	748	WerFault.exe	106
4176	4192	WerFault.exe	109
1124	2060	WerFault.exe	112
1400	4968	WerFault.exe	115
2836	1868	WerFault.exe	118
388	3664	WerFault.exe	121
3172	4240	WerFault.exe	124
1904	3472	WerFault.exe	127
3700	3960	WerFault.exe	130
4260	2108	WerFault.exe	133
4404	4848	WerFault.exe	136
4352	4864	WerFault.exe	139
4256	4576	WerFault.exe	142
1268	3244	WerFault.exe	145
4588	4632	WerFault.exe	148
2992	2344	WerFault.exe	151
4532	4372	WerFault.exe	154
3520	4340	WerFault.exe	157
1828	3108	WerFault.exe	160
4504	1160	WerFault.exe	163
1804	1892	WerFault.exe	166
2764	3908	WerFault.exe	169
116	1476	WerFault.exe	172
1556	400	WerFault.exe	175
3824	1548	WerFault.exe	178
1692	2548	WerFault.exe	181
4148	728	WerFault.exe	184
468	4984	WerFault.exe	187
3880	1020	WerFault.exe	190
3388	3576	WerFault.exe	193
4744	4324	WerFault.exe	196
2868	4772	WerFault.exe	199

Suspicious use of SetThreadContext 38 IoCs

description	pid	Process	procid_target
PID 1012 set thread context of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 3952 set thread context of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 set thread context of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 set thread context of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 set thread context of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 set thread context of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 set thread context of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 set thread context of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 set thread context of 2060	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	112
PID 3952 set thread context of 4968	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	115
PID 3952 set thread context of 1868	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	118
PID 3952 set thread context of 3664	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	121
PID 3952 set thread context of 4240	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	124
PID 3952 set thread context of 3472	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	127
PID 3952 set thread context of 3960	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	130
PID 3952 set thread context of 2108	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	133
PID 3952 set thread context of 4848	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	136
PID 3952 set thread context of 4864	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	139
PID 3952 set thread context of 4576	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	142
PID 3952 set thread context of 3244	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	145
PID 3952 set thread context of 4632	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	148
PID 3952 set thread context of 2344	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	151
PID 3952 set thread context of 4372	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	154
PID 3952 set thread context of 4340	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	157
PID 3952 set thread context of 3108	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	160
PID 3952 set thread context of 1160	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	163
PID 3952 set thread context of 1892	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	166
PID 3952 set thread context of 3908	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	169
PID 3952 set thread context of 1476	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	172
PID 3952 set thread context of 400	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	175
PID 3952 set thread context of 1548	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	178
PID 3952 set thread context of 2548	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	181
PID 3952 set thread context of 728	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	184
PID 3952 set thread context of 4984	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	187
PID 3952 set thread context of 1020	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	190
PID 3952 set thread context of 3576	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	193
PID 3952 set thread context of 4324	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	196
PID 3952 set thread context of 4772	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	199

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1532	iexplore.exe
1020	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	90
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	91
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	94
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	97
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	100
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	103
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	106
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	109
PID 3952 wrote to memory of 2060	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	112

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
"C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
  "C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3952
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 12
      4⤵
      Program crash
      PID:3432
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 12
      4⤵
      Program crash
      PID:4780
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 12
      4⤵
      Program crash
      PID:4792
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 12
      4⤵
      Program crash
      PID:1120
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 12
      4⤵
      Program crash
      PID:1708
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 12
      4⤵
      Program crash
      PID:4384
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 12
      4⤵
      Program crash
      PID:4176
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:2060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 12
      4⤵
      Program crash
      PID:1124
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 12
      4⤵
      Program crash
      PID:1400
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 12
      4⤵
      Program crash
      PID:2836
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 12
      4⤵
      Program crash
      PID:388
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 12
      4⤵
      Program crash
      PID:3172
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 12
      4⤵
      Program crash
      PID:1904
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 12
      4⤵
      Program crash
      PID:3700
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:2108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 12
      4⤵
      Program crash
      PID:4260
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 12
      4⤵
      Program crash
      PID:4404
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 12
      4⤵
      Program crash
      PID:4352
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 12
      4⤵
      Program crash
      PID:4256
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 12
      4⤵
      Program crash
      PID:1268
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 12
      4⤵
      Program crash
      PID:4588
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 12
      4⤵
      Program crash
      PID:2992
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 12
      4⤵
      Program crash
      PID:4532
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 12
      4⤵
      Program crash
      PID:3520
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 12
      4⤵
      Program crash
      PID:1828
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 12
      4⤵
      Program crash
      PID:4504
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 12
      4⤵
      Program crash
      PID:1804
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 12
      4⤵
      Program crash
      PID:2764
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 12
      4⤵
      Program crash
      PID:116
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12
      4⤵
      Program crash
      PID:1556
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 12
      4⤵
      Program crash
      PID:3824
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:2548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 12
      4⤵
      Program crash
      PID:1692
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 12
      4⤵
      Program crash
      PID:4148
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 12
      4⤵
      Program crash
      PID:468
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 12
      4⤵
      Program crash
      PID:3880
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:3576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12
      4⤵
      Program crash
      PID:3388
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 12
      4⤵
      Program crash
      PID:4744
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
    3⤵
    PID:4772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 12
      4⤵
      Program crash
      PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1528 -ip 1528
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 684 -ip 684
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3588 -ip 3588
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1532 -ip 1532
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4844 -ip 4844
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 748 -ip 748
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4192 -ip 4192
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2060 -ip 2060
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4968 -ip 4968
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1868 -ip 1868
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3664 -ip 3664
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4240 -ip 4240
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3472 -ip 3472
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3960 -ip 3960
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2108 -ip 2108
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4848 -ip 4848
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4864 -ip 4864
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4576 -ip 4576
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3244 -ip 3244
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4632 -ip 4632
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2344 -ip 2344
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4372 -ip 4372
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4340 -ip 4340
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3108 -ip 3108
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1160 -ip 1160
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1892 -ip 1892
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3908 -ip 3908
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1476 -ip 1476
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 400 -ip 400
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1548 -ip 1548
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2548 -ip 2548
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 728 -ip 728
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4984 -ip 4984
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1020 -ip 1020
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3576 -ip 3576
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4324 -ip 4324
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4772 -ip 4772
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry