xpertrat | 35cbc9343c28832d7bd8fca706ba5c8d68a9d3250b11346239c5c48432fbb332

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

Dissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe

Windows security bypass 2 TTPs 4 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

Dissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2956-14-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe

Executes dropped EXE 8 IoCs

Processes:

Dissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

pid	process
2560	Dissonans8.exe
1224	Dissonans8.exe
4432	Dissonans8.exe
1752	Dissonans8.exe
968	Dissonans8.exe
4432	Dissonans8.exe
4120	Dissonans8.exe
4640	Dissonans8.exe

Windows security modification 2 TTPs 4 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

Dissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Dissonans8.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

System Information Discovery

T1082

Processes:

Dissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1924	2956	WerFault.exe	iexplore.exe
4600	4204	WerFault.exe	iexplore.exe
2336	4320	WerFault.exe	iexplore.exe
4756	2120	WerFault.exe	iexplore.exe
4884	4784	WerFault.exe	iexplore.exe
4692	2692	WerFault.exe	iexplore.exe
2424	4876	WerFault.exe	iexplore.exe
1516	1612	WerFault.exe	iexplore.exe
2500	3708	WerFault.exe	iexplore.exe
1328	2332	WerFault.exe	iexplore.exe
3908	548	WerFault.exe	iexplore.exe
4284	4184	WerFault.exe	iexplore.exe
976	1124	WerFault.exe	iexplore.exe
2716	1136	WerFault.exe	iexplore.exe
4016	4940	WerFault.exe	iexplore.exe
1164	3948	WerFault.exe	iexplore.exe
456	4524	WerFault.exe	iexplore.exe
4376	3076	WerFault.exe	iexplore.exe
3192	1052	WerFault.exe	iexplore.exe
5016	3296	WerFault.exe	iexplore.exe
3904	3056	WerFault.exe	iexplore.exe
4624	3196	WerFault.exe	iexplore.exe
4432	2544	WerFault.exe	iexplore.exe
400	2612	WerFault.exe	iexplore.exe
4864	2476	WerFault.exe	iexplore.exe
1580	1160	WerFault.exe	iexplore.exe
1600	836	WerFault.exe	iexplore.exe
732	3536	WerFault.exe	iexplore.exe
3864	4420	WerFault.exe	iexplore.exe
1056	5064	WerFault.exe	iexplore.exe
3312	2180	WerFault.exe	iexplore.exe
2176	4464	WerFault.exe	iexplore.exe
2624	3808	WerFault.exe	iexplore.exe
3432	976	WerFault.exe	iexplore.exe
4920	1440	WerFault.exe	iexplore.exe
2432	4236	WerFault.exe	iexplore.exe
1444	3984	WerFault.exe	iexplore.exe
1972	1240	WerFault.exe	iexplore.exe
760	3068	WerFault.exe	iexplore.exe
2044	4696	WerFault.exe	iexplore.exe
3228	1592	WerFault.exe	iexplore.exe
3904	636	WerFault.exe	iexplore.exe
4460	1864	WerFault.exe	iexplore.exe
2512	2620	WerFault.exe	iexplore.exe
2596	4288	WerFault.exe	iexplore.exe
5008	4620	WerFault.exe	iexplore.exe
2296	228	WerFault.exe	iexplore.exe
3000	712	WerFault.exe	iexplore.exe
3388	4676	WerFault.exe	iexplore.exe
3176	4776	WerFault.exe	iexplore.exe
1244	692	WerFault.exe	iexplore.exe
4664	2456	WerFault.exe	iexplore.exe
4540	736	WerFault.exe	iexplore.exe
3308	1640	WerFault.exe	iexplore.exe
3440	5016	WerFault.exe	iexplore.exe
3444	4384	WerFault.exe	iexplore.exe
2160	3084	WerFault.exe	iexplore.exe
2840	2380	WerFault.exe	iexplore.exe
756	4768	WerFault.exe	iexplore.exe
2748	740	WerFault.exe	iexplore.exe
2124	3164	WerFault.exe	iexplore.exe
3248	4472	WerFault.exe	iexplore.exe
1556	4744	WerFault.exe	iexplore.exe
1056	1832	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

Dissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

description	pid	process	target process
PID 2560 set thread context of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 1224 set thread context of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4784	1224	Dissonans8.exe	iexplore.exe
PID 4432 set thread context of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 1752 set thread context of 2692	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4876	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 1612	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 3708	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 2332	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 548	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 4184	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 1124	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 1136	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4940	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 3948	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4524	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 3076	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 1052	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 3296	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 3056	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 3196	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 2544	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 2612	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 2476	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 1160	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 836	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 3536	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4420	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 5064	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 2180	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 4464	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 3808	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 976	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 1440	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 4236	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 3984	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 1240	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 3068	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 4696	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 1592	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 636	1752	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 1864	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 2620	1752	Dissonans8.exe	iexplore.exe
PID 968 set thread context of 4432	968	Dissonans8.exe	Dissonans8.exe
PID 4432 set thread context of 4288	4432	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4620	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 4852	1752	Dissonans8.exe	iexplore.exe
PID 4432 set thread context of 228	4432	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 712	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 1208	1752	Dissonans8.exe	iexplore.exe
PID 4432 set thread context of 4676	4432	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4776	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 872	1752	Dissonans8.exe	iexplore.exe
PID 4432 set thread context of 692	4432	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 2456	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 1772	1752	Dissonans8.exe	iexplore.exe
PID 4432 set thread context of 736	4432	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 1640	1224	Dissonans8.exe	iexplore.exe
PID 1752 set thread context of 544	1752	Dissonans8.exe	iexplore.exe
PID 4432 set thread context of 5016	4432	Dissonans8.exe	iexplore.exe
PID 1224 set thread context of 4384	1224	Dissonans8.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3520 schtasks.exe

pid	process
3520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Dissonans8.exeDissonans8.exe

pid	process
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe
1224	Dissonans8.exe
1224	Dissonans8.exe
1752	Dissonans8.exe
1752	Dissonans8.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

pid	process
4676	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe
2560	Dissonans8.exe
1224	Dissonans8.exe
4432	Dissonans8.exe
1752	Dissonans8.exe
968	Dissonans8.exe
4432	Dissonans8.exe
4120	Dissonans8.exe
4640	Dissonans8.exe

Suspicious use of UnmapMainImage 7 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

4784 iexplore.exe
2692 iexplore.exe
3076 iexplore.exe
228 iexplore.exe
4768 iexplore.exe
740 iexplore.exe
3436 iexplore.exe

pid	process
4784	iexplore.exe
2692	iexplore.exe
3076	iexplore.exe
228	iexplore.exe
4768	iexplore.exe
740	iexplore.exe
3436	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exeDissonans8.exeDissonans8.exeDissonans8.exe

description	pid	process	target process
PID 4676 wrote to memory of 3520	4676	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe	schtasks.exe
PID 4676 wrote to memory of 3520	4676	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe	schtasks.exe
PID 4676 wrote to memory of 3520	4676	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe	schtasks.exe
PID 4676 wrote to memory of 2040	4676	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe	schtasks.exe
PID 4676 wrote to memory of 2040	4676	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe	schtasks.exe
PID 4676 wrote to memory of 2040	4676	085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe	schtasks.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 2560 wrote to memory of 1224	2560	Dissonans8.exe	Dissonans8.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2956	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4204	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4320	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 2120	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 1224 wrote to memory of 4784	1224	Dissonans8.exe	iexplore.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe
PID 4432 wrote to memory of 1752	4432	Dissonans8.exe	Dissonans8.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

Processes:

Dissonans8.exeDissonans8.exeDissonans8.exeDissonans8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Dissonans8.exe

C:\Users\Admin\AppData\Local\Temp\085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Snyltehveps6" /TR "\"C:\ProgramData\Dissonans8.exe\""
2⤵
- Creates scheduled task(s)
PID:3520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /run /tn "Snyltehveps6"
2⤵
PID:2040

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 12
4⤵
- Program crash
PID:1924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 12
4⤵
- Program crash
PID:4600

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 12
4⤵
- Program crash
PID:2336

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 12
4⤵
- Program crash
PID:4756

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
- Suspicious use of UnmapMainImage
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 12
4⤵
- Program crash
PID:4884

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 12
4⤵
- Program crash
PID:2424

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 12
4⤵
- Program crash
PID:2500

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 12
4⤵
- Program crash
PID:3908

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 12
4⤵
- Program crash
PID:976

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 12
4⤵
- Program crash
PID:4016

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 12
4⤵
- Program crash
PID:456

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 12
4⤵
- Program crash
PID:3192

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 12
4⤵
- Program crash
PID:3904

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 12
4⤵
- Program crash
PID:4432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 12
4⤵
- Program crash
PID:4864

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 12
4⤵
- Program crash
PID:1600

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 12
4⤵
- Program crash
PID:3864

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 12
4⤵
- Program crash
PID:3312

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 12
4⤵
- Program crash
PID:2624

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 12
4⤵
- Program crash
PID:4920

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 12
4⤵
- Program crash
PID:1444

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 12
4⤵
- Program crash
PID:760

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 12
4⤵
- Program crash
PID:3228

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 12
4⤵
- Program crash
PID:4460

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 12
4⤵
- Program crash
PID:5008

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 12
4⤵
- Program crash
PID:3000

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 12
4⤵
- Program crash
PID:3176

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 12
4⤵
- Program crash
PID:4664

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 12
4⤵
- Program crash
PID:3308

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 12
4⤵
- Program crash
PID:3444

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 12
4⤵
- Program crash
PID:2840

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
- Suspicious use of UnmapMainImage
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 12
4⤵
- Program crash
PID:2748

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2424

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 12
4⤵
PID:2296

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 12
4⤵
PID:2700

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4564

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 12
4⤵
PID:3608

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 12
4⤵
PID:4292

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4312

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 12
4⤵
PID:2368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4468

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 12
4⤵
PID:700

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4328

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 12
4⤵
PID:4576

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1288

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2956 -ip 2956
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4204 -ip 4204
1⤵
PID:968

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1752

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
- Suspicious use of UnmapMainImage
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 12
4⤵
- Program crash
PID:4692

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 12
4⤵
- Program crash
PID:1516

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 12
4⤵
- Program crash
PID:1328

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 12
4⤵
- Program crash
PID:4284

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 12
4⤵
- Program crash
PID:2716

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 12
4⤵
- Program crash
PID:1164

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
- Suspicious use of UnmapMainImage
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 12
4⤵
- Program crash
PID:4376

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 12
4⤵
- Program crash
PID:5016

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 12
4⤵
- Program crash
PID:4624

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 12
4⤵
- Program crash
PID:400

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 12
4⤵
- Program crash
PID:1580

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 12
4⤵
- Program crash
PID:732

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 12
4⤵
- Program crash
PID:1056

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 12
4⤵
- Program crash
PID:2176

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 12
4⤵
- Program crash
PID:3432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 12
4⤵
- Program crash
PID:2432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 12
4⤵
- Program crash
PID:1972

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 12
4⤵
- Program crash
PID:2044

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 12
4⤵
- Program crash
PID:3904

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 12
4⤵
- Program crash
PID:2512

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1208

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:872

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1772

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:544

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3508

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4364

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 12
4⤵
- Program crash
PID:2124

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 12
4⤵
- Program crash
PID:1556

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4628

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 12
4⤵
PID:1692

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 12
4⤵
PID:3276

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 12
4⤵
PID:1316

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 12
4⤵
PID:3612

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 12
4⤵
PID:2472

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 12
4⤵
PID:1056

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 12
4⤵
PID:4684

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 12
4⤵
PID:4624

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 12
4⤵
PID:3472

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 12
4⤵
PID:732

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 12
4⤵
PID:760

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4320 -ip 4320
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2120 -ip 2120
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4784 -ip 4784
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2692 -ip 2692
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4876 -ip 4876
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1612 -ip 1612
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3708 -ip 3708
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2332 -ip 2332
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 548 -ip 548
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4184 -ip 4184
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1124 -ip 1124
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1136 -ip 1136
1⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4940 -ip 4940
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3948 -ip 3948
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4524 -ip 4524
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3076 -ip 3076
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1052 -ip 1052
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3296 -ip 3296
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3056 -ip 3056
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3196 -ip 3196
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2544 -ip 2544
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2612 -ip 2612
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2476 -ip 2476
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1160 -ip 1160
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 836 -ip 836
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3536 -ip 3536
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4420 -ip 4420
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5064 -ip 5064
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2180 -ip 2180
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4464 -ip 4464
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3808 -ip 3808
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 976 -ip 976
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1440 -ip 1440
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4236 -ip 4236
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3984 -ip 3984
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1240 -ip 1240
1⤵
PID:1380

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:968

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 12
4⤵
- Program crash
PID:2596

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
- Suspicious use of UnmapMainImage
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 12
4⤵
- Program crash
PID:2296

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 12
4⤵
- Program crash
PID:3388

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 12
4⤵
- Program crash
PID:1244

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 12
4⤵
- Program crash
PID:4540

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12
4⤵
- Program crash
PID:3440

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 12
4⤵
- Program crash
PID:2160

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
- Suspicious use of UnmapMainImage
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 12
4⤵
- Program crash
PID:756

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 12
4⤵
- Program crash
PID:3248

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 12
4⤵
- Program crash
PID:1056

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 12
4⤵
PID:3388

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 12
4⤵
PID:3892

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 12
4⤵
PID:372

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 12
4⤵
PID:216

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 12
4⤵
PID:1448

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 12
4⤵
PID:1820

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 12
4⤵
PID:4388

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 12
4⤵
PID:3792

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
- Suspicious use of UnmapMainImage
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 12
4⤵
PID:3480

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 12
4⤵
PID:996

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 12
4⤵
PID:3672

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 12
4⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3068 -ip 3068
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4696 -ip 4696
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1592 -ip 1592
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 636 -ip 636
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1864 -ip 1864
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2620 -ip 2620
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4288 -ip 4288
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 4620 -ip 4620
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 4852 -ip 4852
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 228 -ip 228
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 712 -ip 712
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1208 -ip 1208
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4676 -ip 4676
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4776 -ip 4776
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 872 -ip 872
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 692 -ip 692
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 2456 -ip 2456
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1772 -ip 1772
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 736 -ip 736
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1640 -ip 1640
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 544 -ip 544
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 5016 -ip 5016
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 4384 -ip 4384
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 3508 -ip 3508
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3084 -ip 3084
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 2380 -ip 2380
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 4364 -ip 4364
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4768 -ip 4768
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 740 -ip 740
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3164 -ip 3164
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 4472 -ip 4472
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2424 -ip 2424
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4744 -ip 4744
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1832 -ip 1832
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2992 -ip 2992
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 4628 -ip 4628
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4752 -ip 4752
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2716 -ip 2716
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 5068 -ip 5068
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 908 -ip 908
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4564 -ip 4564
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4896 -ip 4896
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3468 -ip 3468
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 804 -ip 804
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 2304 -ip 2304
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3748 -ip 3748
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4480 -ip 4480
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 2752 -ip 2752
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 756 -ip 756
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 4312 -ip 4312
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 4112 -ip 4112
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 3000 -ip 3000
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2040 -ip 2040
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3096 -ip 3096
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 4484 -ip 4484
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4468 -ip 4468
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1720 -ip 1720
1⤵
PID:4048

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4120

C:\ProgramData\Dissonans8.exe
C:\ProgramData\Dissonans8.exe
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4640

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3704

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\ProgramData\Dissonans8.exe
3⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 12
4⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 2364 -ip 2364
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3644 -ip 3644
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 768 -ip 768
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3436 -ip 3436
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4328 -ip 4328
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 4616 -ip 4616
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3952 -ip 3952
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4160 -ip 4160
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 4496 -ip 4496
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4140 -ip 4140
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 3704 -ip 3704
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 1288 -ip 1288
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 3500 -ip 3500
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 220 -ip 220
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3180 -ip 3180
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3636 -ip 3636
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2340 -ip 2340
1⤵
PID:2428

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry