xpertrat | 27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-19-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
968	4752	WerFault.exe	iexplore.exe
708	1800	WerFault.exe	iexplore.exe
1924	1236	WerFault.exe	iexplore.exe
2308	5108	WerFault.exe	iexplore.exe
2520	2004	WerFault.exe	iexplore.exe
4580	2140	WerFault.exe	iexplore.exe
488	1828	WerFault.exe	iexplore.exe
1040	3444	WerFault.exe	iexplore.exe
3080	1644	WerFault.exe	iexplore.exe
3652	660	WerFault.exe	iexplore.exe
4428	3416	WerFault.exe	iexplore.exe
3640	4964	WerFault.exe	iexplore.exe
3324	980	WerFault.exe	iexplore.exe
2948	2804	WerFault.exe	iexplore.exe
4952	2392	WerFault.exe	iexplore.exe
3380	2844	WerFault.exe	iexplore.exe
4504	2548	WerFault.exe	iexplore.exe
2544	4928	WerFault.exe	iexplore.exe
900	3208	WerFault.exe	iexplore.exe
2072	1156	WerFault.exe	iexplore.exe
3760	4424	WerFault.exe	iexplore.exe
2944	1564	WerFault.exe	iexplore.exe
4084	1172	WerFault.exe	iexplore.exe
3708	4744	WerFault.exe	iexplore.exe
3176	1832	WerFault.exe	iexplore.exe
1048	2272	WerFault.exe	iexplore.exe
1888	3688	WerFault.exe	iexplore.exe
4760	2028	WerFault.exe	iexplore.exe
3756	1332	WerFault.exe	iexplore.exe
216	4576	WerFault.exe	iexplore.exe
1476	2752	WerFault.exe	iexplore.exe
2284	2320	WerFault.exe	iexplore.exe
3440	404	WerFault.exe	iexplore.exe
748	3084	WerFault.exe	iexplore.exe
5060	3464	WerFault.exe	iexplore.exe
3868	3404	WerFault.exe	iexplore.exe
3684	444	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 38 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description	pid	process	target process
PID 3976 set thread context of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 4716 set thread context of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1828	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 3444	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1644	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 660	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 3416	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 4964	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 980	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2804	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2392	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2844	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2548	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 4928	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 3208	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1156	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 4424	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1564	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1172	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 4744	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1832	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2272	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 3688	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2028	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 1332	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 4576	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 2320	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 404	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 3084	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 3464	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 3404	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 set thread context of 444	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

pid	process
3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description pid process

Token: SeDebugPrivilege 3976 27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

pid process

4716 27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2004 iexplore.exe
2272 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

pid	process
4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

pid	process
2004	iexplore.exe
2272	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description	pid	process	target process
PID 3976 wrote to memory of 2312	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 2312	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 2312	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 3976 wrote to memory of 4716	3976	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 4752	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1800	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1236	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 5108	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2004	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 2140	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1828	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1828	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1828	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1828	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1828	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe
PID 4716 wrote to memory of 1828	4716	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe

C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe"
2⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe"
2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4716

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 12
4⤵
- Program crash
PID:968

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 12
4⤵
- Program crash
PID:708

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 12
4⤵
- Program crash
PID:1924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 12
4⤵
- Program crash
PID:2308

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
- Suspicious use of UnmapMainImage
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 12
4⤵
- Program crash
PID:2520

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 12
4⤵
- Program crash
PID:4580

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 12
4⤵
- Program crash
PID:488

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 12
4⤵
- Program crash
PID:1040

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 12
4⤵
- Program crash
PID:3080

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 12
4⤵
- Program crash
PID:3652

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 12
4⤵
- Program crash
PID:4428

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 12
4⤵
- Program crash
PID:3640

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 12
4⤵
- Program crash
PID:3324

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 12
4⤵
- Program crash
PID:2948

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 12
4⤵
- Program crash
PID:4952

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 12
4⤵
- Program crash
PID:3380

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 12
4⤵
- Program crash
PID:4504

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 12
4⤵
- Program crash
PID:2544

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 12
4⤵
- Program crash
PID:900

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 12
4⤵
- Program crash
PID:2072

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 12
4⤵
- Program crash
PID:3760

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 12
4⤵
- Program crash
PID:2944

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 12
4⤵
- Program crash
PID:4084

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 12
4⤵
- Program crash
PID:3708

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 12
4⤵
- Program crash
PID:3176

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
- Suspicious use of UnmapMainImage
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 12
4⤵
- Program crash
PID:1048

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 12
4⤵
- Program crash
PID:1888

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 12
4⤵
- Program crash
PID:4760

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 12
4⤵
- Program crash
PID:3756

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 12
4⤵
- Program crash
PID:216

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 12
4⤵
- Program crash
PID:1476

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 12
4⤵
- Program crash
PID:2284

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 12
4⤵
- Program crash
PID:3440

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 12
4⤵
- Program crash
PID:748

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 12
4⤵
- Program crash
PID:5060

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 12
4⤵
- Program crash
PID:3868

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9_JC.exe
3⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 12
4⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4752 -ip 4752
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1800 -ip 1800
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1236 -ip 1236
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5108 -ip 5108
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2004 -ip 2004
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2140 -ip 2140
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1828 -ip 1828
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3444 -ip 3444
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1644 -ip 1644
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 660 -ip 660
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3416 -ip 3416
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4964 -ip 4964
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 980 -ip 980
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2804 -ip 2804
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2392 -ip 2392
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2844 -ip 2844
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2548 -ip 2548
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4928 -ip 4928
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3208 -ip 3208
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1156 -ip 1156
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4424 -ip 4424
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1564 -ip 1564
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1172 -ip 1172
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4744 -ip 4744
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1832 -ip 1832
1⤵
PID:492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2272 -ip 2272
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3688 -ip 3688
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2028 -ip 2028
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1332 -ip 1332
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4576 -ip 4576
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2752 -ip 2752
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2320 -ip 2320
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 404 -ip 404
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3084 -ip 3084
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3464 -ip 3464
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3404 -ip 3404
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 444 -ip 444
1⤵
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery