xpertrat | 27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1528-19-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3432	1528	WerFault.exe	iexplore.exe
4780	684	WerFault.exe	iexplore.exe
4792	3588	WerFault.exe	iexplore.exe
1120	1532	WerFault.exe	iexplore.exe
1708	4844	WerFault.exe	iexplore.exe
4384	748	WerFault.exe	iexplore.exe
4176	4192	WerFault.exe	iexplore.exe
1124	2060	WerFault.exe	iexplore.exe
1400	4968	WerFault.exe	iexplore.exe
2836	1868	WerFault.exe	iexplore.exe
388	3664	WerFault.exe	iexplore.exe
3172	4240	WerFault.exe	iexplore.exe
1904	3472	WerFault.exe	iexplore.exe
3700	3960	WerFault.exe	iexplore.exe
4260	2108	WerFault.exe	iexplore.exe
4404	4848	WerFault.exe	iexplore.exe
4352	4864	WerFault.exe	iexplore.exe
4256	4576	WerFault.exe	iexplore.exe
1268	3244	WerFault.exe	iexplore.exe
4588	4632	WerFault.exe	iexplore.exe
2992	2344	WerFault.exe	iexplore.exe
4532	4372	WerFault.exe	iexplore.exe
3520	4340	WerFault.exe	iexplore.exe
1828	3108	WerFault.exe	iexplore.exe
4504	1160	WerFault.exe	iexplore.exe
1804	1892	WerFault.exe	iexplore.exe
2764	3908	WerFault.exe	iexplore.exe
116	1476	WerFault.exe	iexplore.exe
1556	400	WerFault.exe	iexplore.exe
3824	1548	WerFault.exe	iexplore.exe
1692	2548	WerFault.exe	iexplore.exe
4148	728	WerFault.exe	iexplore.exe
468	4984	WerFault.exe	iexplore.exe
3880	1020	WerFault.exe	iexplore.exe
3388	3576	WerFault.exe	iexplore.exe
4744	4324	WerFault.exe	iexplore.exe
2868	4772	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 38 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

description	pid	process	target process
PID 1012 set thread context of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 3952 set thread context of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 2060	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4968	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 1868	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3664	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4240	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3472	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3960	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 2108	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4848	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4864	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4576	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3244	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4632	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 2344	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4372	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4340	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3108	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 1160	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 1892	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3908	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 1476	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 400	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 1548	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 2548	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 728	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4984	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 1020	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 3576	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4324	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 set thread context of 4772	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

pid	process
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

pid process

3952 27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1532 iexplore.exe
1020 iexplore.exe

pid	process
1532	iexplore.exe
1020	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

description	pid	process	target process
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 1012 wrote to memory of 3952	1012	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1528	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 684	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 3588	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 1532	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4844	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 748	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 4192	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe
PID 3952 wrote to memory of 2060	3952	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe

C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
"C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
"C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe"
2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3952

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 12
4⤵
- Program crash
PID:3432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 12
4⤵
- Program crash
PID:4780

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 12
4⤵
- Program crash
PID:4792

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
- Suspicious use of UnmapMainImage
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 12
4⤵
- Program crash
PID:1120

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 12
4⤵
- Program crash
PID:1708

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 12
4⤵
- Program crash
PID:4384

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 12
4⤵
- Program crash
PID:4176

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 12
4⤵
- Program crash
PID:1124

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 12
4⤵
- Program crash
PID:1400

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 12
4⤵
- Program crash
PID:2836

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 12
4⤵
- Program crash
PID:388

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 12
4⤵
- Program crash
PID:3172

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 12
4⤵
- Program crash
PID:1904

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 12
4⤵
- Program crash
PID:3700

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 12
4⤵
- Program crash
PID:4260

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 12
4⤵
- Program crash
PID:4404

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 12
4⤵
- Program crash
PID:4352

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 12
4⤵
- Program crash
PID:4256

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 12
4⤵
- Program crash
PID:1268

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 12
4⤵
- Program crash
PID:4588

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 12
4⤵
- Program crash
PID:2992

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 12
4⤵
- Program crash
PID:4532

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 12
4⤵
- Program crash
PID:3520

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 12
4⤵
- Program crash
PID:1828

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 12
4⤵
- Program crash
PID:4504

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 12
4⤵
- Program crash
PID:1804

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 12
4⤵
- Program crash
PID:2764

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 12
4⤵
- Program crash
PID:116

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12
4⤵
- Program crash
PID:1556

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 12
4⤵
- Program crash
PID:3824

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 12
4⤵
- Program crash
PID:1692

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 12
4⤵
- Program crash
PID:4148

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 12
4⤵
- Program crash
PID:468

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
- Suspicious use of UnmapMainImage
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 12
4⤵
- Program crash
PID:3880

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12
4⤵
- Program crash
PID:3388

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 12
4⤵
- Program crash
PID:4744

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9.exe
3⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 12
4⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1528 -ip 1528
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 684 -ip 684
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3588 -ip 3588
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1532 -ip 1532
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4844 -ip 4844
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 748 -ip 748
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4192 -ip 4192
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2060 -ip 2060
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4968 -ip 4968
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1868 -ip 1868
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3664 -ip 3664
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4240 -ip 4240
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3472 -ip 3472
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3960 -ip 3960
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2108 -ip 2108
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4848 -ip 4848
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4864 -ip 4864
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4576 -ip 4576
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3244 -ip 3244
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4632 -ip 4632
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2344 -ip 2344
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4372 -ip 4372
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4340 -ip 4340
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3108 -ip 3108
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1160 -ip 1160
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1892 -ip 1892
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3908 -ip 3908
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1476 -ip 1476
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 400 -ip 400
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1548 -ip 1548
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2548 -ip 2548
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 728 -ip 728
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4984 -ip 4984
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1020 -ip 1020
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3576 -ip 3576
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4324 -ip 4324
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4772 -ip 4772
1⤵
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery