smokeloader | ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
24-01-2022 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
Size

263KB
MD5

5f8d526cc16823160c06593405a3b393
SHA1

64b97251781b811078236469b999e61bde4563d0
SHA256

ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186
SHA512

ba5690e0b0288e9ca2d647a68f6927717ae77298e3037474386e2bbf3d0ea64c5f6be26bca4e9d995751291964ef8f5b6cea058b7c432dd7782890e91494f295

Score

10^/10

smokeloader systembc backdoor persistence suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Extracted

Family

systembc

5.39.221.47:4001

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2260 created 3808	2260	WerFault.exe	wsddduj
PID 3280 created 3580	3280	WerFault.exe	explorer.exe
PID 2196 created 2712	2196	WerFault.exe	DllHost.exe
PID 3944 created 1588	3944	WerFault.exe	DllHost.exe
PID 3512 created 1180	3512	WerFault.exe	623E.exe
PID 1952 created 3972	1952	WerFault.exe	DllHost.exe
PID 684 created 3692	684	WerFault.exe	DllHost.exe

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

27C4.exe623E.exe623E.exeurdddujwsddduj

pid process

816 27C4.exe
1180 623E.exe
1784 623E.exe
3348 urddduj
3808 wsddduj
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops file in Windows directory 2 IoCs

Processes:

623E.exe

description ioc process

File created C:\Windows\Tasks\wow64.job 623E.exe
File opened for modification C:\Windows\Tasks\wow64.job 623E.exe

pid	process
816	27C4.exe
1180	623E.exe
1784	623E.exe
3348	urddduj
3808	wsddduj

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	623E.exe
File opened for modification	C:\Windows\Tasks\wow64.job	623E.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1464	3808	WerFault.exe	wsddduj
1044	3580	WerFault.exe	explorer.exe
3236	2712	WerFault.exe	DllHost.exe
4036	1588	WerFault.exe	DllHost.exe
820	1180	WerFault.exe	623E.exe
2736	3972	WerFault.exe	DllHost.exe
2868	3692	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe27C4.exeurddduj

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27C4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27C4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urddduj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27C4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urddduj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	urddduj

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3686677392"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937415"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904ed3de4711d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f6c4de4711d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3666833425"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937415"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937415"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3666833425"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000035d0be6d5e4534a828edd82530d05d932a96f215a23948d2dd9e7ccb1192395b000000000e80000000020000200000007eaf98ed1306f5dbac70befce7760a470121521172852a5197fa70ec3a98daa1200000003a71c1886aa533b282e90a835c729feaa1ec910ddb402183e50bd58f0914d8fa400000008b687dc15dee8c6276e5e16908501991d632ad85446266f63277e3c4b0d12bbde2542e498d1974e6dc6aa8e9f0679db9370bdae313c5efae7f967a2b2a6a3432	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{05E0C192-7D3B-11EC-82D0-F2F412B024C7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000001bb043e07ab650650a3d0ea2fa8f39f2ab069a4bbb20aaa7bd18c637cdc71edf000000000e80000000020000200000006b1b929a3072a4311b5f0436483ec09b87bd34ebf6e9df7eb2f5cea95a0a44df200000007cee54fcf7aea83a7c3658b3145ff07498263eb920504ee8ce8be5671951ec7b400000006025e0e6171e04c72be4a0e5494bc9bd97df6b4b7bc0099ee6de3189687b5714c07e4080a286198b4331426a73b6c2498676877054f67733661c76783e57268b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe

pid	process
772	ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
772	ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2424

pid	process
2424

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe27C4.exeexplorer.exeexplorer.exeurdddujexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
772	ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
816	27C4.exe
2424
2424
2424
2424
2424
2424
4060	explorer.exe
4060	explorer.exe
2424
2424
2240	explorer.exe
2240	explorer.exe
3348	urddduj
2424
2424
60	explorer.exe
60	explorer.exe
2424
2424
3956	explorer.exe
3956	explorer.exe
2424
2424
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
2424
2424
1960	explorer.exe
1960	explorer.exe
924	explorer.exe
924	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
924	explorer.exe
924	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeIncreaseQuotaPrivilege	2904	WMIC.exe
Token: SeSecurityPrivilege	2904	WMIC.exe
Token: SeTakeOwnershipPrivilege	2904	WMIC.exe
Token: SeLoadDriverPrivilege	2904	WMIC.exe
Token: SeSystemProfilePrivilege	2904	WMIC.exe
Token: SeSystemtimePrivilege	2904	WMIC.exe
Token: SeProfSingleProcessPrivilege	2904	WMIC.exe
Token: SeIncBasePriorityPrivilege	2904	WMIC.exe
Token: SeCreatePagefilePrivilege	2904	WMIC.exe
Token: SeBackupPrivilege	2904	WMIC.exe
Token: SeRestorePrivilege	2904	WMIC.exe
Token: SeShutdownPrivilege	2904	WMIC.exe
Token: SeDebugPrivilege	2904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2904	WMIC.exe
Token: SeRemoteShutdownPrivilege	2904	WMIC.exe
Token: SeUndockPrivilege	2904	WMIC.exe
Token: SeManageVolumePrivilege	2904	WMIC.exe
Token: 33	2904	WMIC.exe
Token: 34	2904	WMIC.exe
Token: 35	2904	WMIC.exe
Token: 36	2904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2904	WMIC.exe
Token: SeSecurityPrivilege	2904	WMIC.exe
Token: SeTakeOwnershipPrivilege	2904	WMIC.exe
Token: SeLoadDriverPrivilege	2904	WMIC.exe
Token: SeSystemProfilePrivilege	2904	WMIC.exe
Token: SeSystemtimePrivilege	2904	WMIC.exe
Token: SeProfSingleProcessPrivilege	2904	WMIC.exe
Token: SeIncBasePriorityPrivilege	2904	WMIC.exe
Token: SeCreatePagefilePrivilege	2904	WMIC.exe
Token: SeBackupPrivilege	2904	WMIC.exe
Token: SeRestorePrivilege	2904	WMIC.exe
Token: SeShutdownPrivilege	2904	WMIC.exe
Token: SeDebugPrivilege	2904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2904	WMIC.exe
Token: SeRemoteShutdownPrivilege	2904	WMIC.exe
Token: SeUndockPrivilege	2904	WMIC.exe
Token: SeManageVolumePrivilege	2904	WMIC.exe
Token: 33	2904	WMIC.exe
Token: 34	2904	WMIC.exe
Token: 35	2904	WMIC.exe
Token: 36	2904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3896	WMIC.exe
Token: SeSecurityPrivilege	3896	WMIC.exe
Token: SeTakeOwnershipPrivilege	3896	WMIC.exe
Token: SeLoadDriverPrivilege	3896	WMIC.exe
Token: SeSystemProfilePrivilege	3896	WMIC.exe
Token: SeSystemtimePrivilege	3896	WMIC.exe
Token: SeProfSingleProcessPrivilege	3896	WMIC.exe
Token: SeIncBasePriorityPrivilege	3896	WMIC.exe
Token: SeCreatePagefilePrivilege	3896	WMIC.exe
Token: SeBackupPrivilege	3896	WMIC.exe
Token: SeRestorePrivilege	3896	WMIC.exe
Token: SeShutdownPrivilege	3896	WMIC.exe
Token: SeDebugPrivilege	3896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3896	WMIC.exe
Token: SeRemoteShutdownPrivilege	3896	WMIC.exe
Token: SeUndockPrivilege	3896	WMIC.exe
Token: SeManageVolumePrivilege	3896	WMIC.exe
Token: 33	3896	WMIC.exe
Token: 34	3896	WMIC.exe
Token: 35	3896	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2872 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2872 iexplore.exe
2872 iexplore.exe
3248 IEXPLORE.EXE
3248 IEXPLORE.EXE

pid	process
2872	iexplore.exe

pid	process
2872	iexplore.exe
2872	iexplore.exe
3248	IEXPLORE.EXE
3248	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeiexplore.exeWerFault.exeWerFault.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2424 wrote to memory of 816	2424		27C4.exe
PID 2424 wrote to memory of 816	2424		27C4.exe
PID 2424 wrote to memory of 816	2424		27C4.exe
PID 2424 wrote to memory of 1180	2424		623E.exe
PID 2424 wrote to memory of 1180	2424		623E.exe
PID 2424 wrote to memory of 1180	2424		623E.exe
PID 2424 wrote to memory of 3456	2424		cmd.exe
PID 2424 wrote to memory of 3456	2424		cmd.exe
PID 3456 wrote to memory of 2904	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 2904	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3896	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3896	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 2912	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 2912	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 204	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 204	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 220	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 220	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3152	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3152	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3652	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3652	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 2592	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 2592	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 2492	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 2492	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 924	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 924	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3328	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3328	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 532	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 532	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3524	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3524	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3312	3456	cmd.exe	WMIC.exe
PID 3456 wrote to memory of 3312	3456	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3248	2872	iexplore.exe	IEXPLORE.EXE
PID 2872 wrote to memory of 3248	2872	iexplore.exe	IEXPLORE.EXE
PID 2872 wrote to memory of 3248	2872	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 3808	2260	WerFault.exe	wsddduj
PID 2260 wrote to memory of 3808	2260	WerFault.exe	wsddduj
PID 2424 wrote to memory of 3580	2424		explorer.exe
PID 2424 wrote to memory of 3580	2424		explorer.exe
PID 2424 wrote to memory of 3580	2424		explorer.exe
PID 2424 wrote to memory of 3580	2424		explorer.exe
PID 3280 wrote to memory of 3580	3280	WerFault.exe	explorer.exe
PID 3280 wrote to memory of 3580	3280	WerFault.exe	explorer.exe
PID 2424 wrote to memory of 3608	2424		explorer.exe
PID 2424 wrote to memory of 3608	2424		explorer.exe
PID 2424 wrote to memory of 3608	2424		explorer.exe
PID 2424 wrote to memory of 4060	2424		explorer.exe
PID 2424 wrote to memory of 4060	2424		explorer.exe
PID 2424 wrote to memory of 4060	2424		explorer.exe
PID 2424 wrote to memory of 4060	2424		explorer.exe
PID 4060 wrote to memory of 3248	4060	explorer.exe	IEXPLORE.EXE
PID 4060 wrote to memory of 3248	4060	explorer.exe	IEXPLORE.EXE
PID 2424 wrote to memory of 2240	2424		explorer.exe
PID 2424 wrote to memory of 2240	2424		explorer.exe
PID 2424 wrote to memory of 2240	2424		explorer.exe
PID 2240 wrote to memory of 2872	2240	explorer.exe	iexplore.exe
PID 2240 wrote to memory of 2872	2240	explorer.exe	iexplore.exe
PID 2424 wrote to memory of 60	2424		explorer.exe
PID 2424 wrote to memory of 60	2424		explorer.exe
PID 2424 wrote to memory of 60	2424		explorer.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2712 -s 980
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2512

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2248

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe
"C:\Users\Admin\AppData\Local\Temp\ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2896

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 291ded432813b106132338050d83d2ae YgVdqpoXwUiqHaJ9UTdVaQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:216

C:\Users\Admin\AppData\Local\Temp\27C4.exe
C:\Users\Admin\AppData\Local\Temp\27C4.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:816

C:\Users\Admin\AppData\Local\Temp\623E.exe
C:\Users\Admin\AppData\Local\Temp\623E.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1044
  2⤵
  - Program crash
  PID:820

C:\Users\Admin\AppData\Local\Temp\623E.exe
C:\Users\Admin\AppData\Local\Temp\623E.exe start
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:2912
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:204
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:220
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:3152
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:3652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:2592
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:2492
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:924
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:3328
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:532
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:3524
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:3312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1424

C:\Users\Admin\AppData\Roaming\wsddduj
C:\Users\Admin\AppData\Roaming\wsddduj
1⤵
- Executes dropped EXE
PID:3808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 344
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1464

C:\Users\Admin\AppData\Roaming\urddduj
C:\Users\Admin\AppData\Roaming\urddduj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3348

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3144

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3808 -ip 3808
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 868
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3580 -ip 3580
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3608

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:60

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3956

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:924

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 2712 -ip 2712
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2196

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1588
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1588 -s 832
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1588 -ip 1588
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3972 -s 804
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1180 -ip 1180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3972 -ip 3972
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3692 -s 780
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3692 -ip 3692
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27C4.exe

MD5
5affe49e1c3db929dc1c92b14b669b83

SHA1
c8a7f95141f60f3f7cb677261a63bd6e417021d3

SHA256
92f34680d5fd6d7620e11f6d17910bd777ceca3f037f5a03d5e8fbeb81616992

SHA512
282a49bb04a2075c45367df59dd035704910d3769e8c8c6ccd3f3944b0f5e313de975b0f3b91c5ec0ebbfd5a84377eb8d328ab0fde5a53920d4a04e4a5d56c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\27C4.exe

MD5
5affe49e1c3db929dc1c92b14b669b83

SHA1
c8a7f95141f60f3f7cb677261a63bd6e417021d3

SHA256
92f34680d5fd6d7620e11f6d17910bd777ceca3f037f5a03d5e8fbeb81616992

SHA512
282a49bb04a2075c45367df59dd035704910d3769e8c8c6ccd3f3944b0f5e313de975b0f3b91c5ec0ebbfd5a84377eb8d328ab0fde5a53920d4a04e4a5d56c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\623E.exe

MD5
a01b0bc4b44afddf64029a86f41784dd

SHA1
ac559d7084e3fb42766dd71a413143ec6c29a56c

SHA256
9b4820342b301b20cac729a24a9c3215b968221b5a47c0640a455f6cde72a968

SHA512
bb543579cef5003eda5c9a9a7715cc5bcda25ea2491155bfd942317c77573b7736f749e84bf51b04f0fb0328a2db875f893d85604aeebb67bf03f8d4e61848d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\623E.exe

MD5
a01b0bc4b44afddf64029a86f41784dd

SHA1
ac559d7084e3fb42766dd71a413143ec6c29a56c

SHA256
9b4820342b301b20cac729a24a9c3215b968221b5a47c0640a455f6cde72a968

SHA512
bb543579cef5003eda5c9a9a7715cc5bcda25ea2491155bfd942317c77573b7736f749e84bf51b04f0fb0328a2db875f893d85604aeebb67bf03f8d4e61848d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\623E.exe

MD5
a01b0bc4b44afddf64029a86f41784dd

SHA1
ac559d7084e3fb42766dd71a413143ec6c29a56c

SHA256
9b4820342b301b20cac729a24a9c3215b968221b5a47c0640a455f6cde72a968

SHA512
bb543579cef5003eda5c9a9a7715cc5bcda25ea2491155bfd942317c77573b7736f749e84bf51b04f0fb0328a2db875f893d85604aeebb67bf03f8d4e61848d7

Download Submit
C:\Users\Admin\AppData\Roaming\urddduj

MD5
5affe49e1c3db929dc1c92b14b669b83

SHA1
c8a7f95141f60f3f7cb677261a63bd6e417021d3

SHA256
92f34680d5fd6d7620e11f6d17910bd777ceca3f037f5a03d5e8fbeb81616992

SHA512
282a49bb04a2075c45367df59dd035704910d3769e8c8c6ccd3f3944b0f5e313de975b0f3b91c5ec0ebbfd5a84377eb8d328ab0fde5a53920d4a04e4a5d56c36

Download Submit
C:\Users\Admin\AppData\Roaming\urddduj

MD5
5affe49e1c3db929dc1c92b14b669b83

SHA1
c8a7f95141f60f3f7cb677261a63bd6e417021d3

SHA256
92f34680d5fd6d7620e11f6d17910bd777ceca3f037f5a03d5e8fbeb81616992

SHA512
282a49bb04a2075c45367df59dd035704910d3769e8c8c6ccd3f3944b0f5e313de975b0f3b91c5ec0ebbfd5a84377eb8d328ab0fde5a53920d4a04e4a5d56c36

Download Submit
C:\Users\Admin\AppData\Roaming\wsddduj

MD5
5f8d526cc16823160c06593405a3b393

SHA1
64b97251781b811078236469b999e61bde4563d0

SHA256
ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186

SHA512
ba5690e0b0288e9ca2d647a68f6927717ae77298e3037474386e2bbf3d0ea64c5f6be26bca4e9d995751291964ef8f5b6cea058b7c432dd7782890e91494f295

Download Submit
C:\Users\Admin\AppData\Roaming\wsddduj

MD5
5f8d526cc16823160c06593405a3b393

SHA1
64b97251781b811078236469b999e61bde4563d0

SHA256
ca389b38fb88de27d8e6782f9642d98989af618e7d1af4cd6b8e5fc8eed31186

SHA512
ba5690e0b0288e9ca2d647a68f6927717ae77298e3037474386e2bbf3d0ea64c5f6be26bca4e9d995751291964ef8f5b6cea058b7c432dd7782890e91494f295

Download Submit
memory/60-187-0x0000000002940000-0x0000000002949000-memory.dmp

Filesize
36KB

Download
memory/60-186-0x0000000002950000-0x0000000002955000-memory.dmp

Filesize
20KB

Download
memory/404-204-0x00000144ED920000-0x00000144ED921000-memory.dmp

Filesize
4KB

Download
memory/772-131-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/772-132-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/772-130-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/816-137-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/816-138-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/816-136-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/820-306-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/820-304-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/876-194-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/876-195-0x0000000005330000-0x000000000533B000-memory.dmp

Filesize
44KB

Download
memory/924-190-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/924-191-0x0000000002940000-0x000000000294B000-memory.dmp

Filesize
44KB

Download
memory/1180-142-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/1180-193-0x00000000021B0000-0x00000000021BB000-memory.dmp

Filesize
44KB

Download
memory/1180-192-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1180-143-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/1180-144-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1784-146-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1960-196-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

Filesize
28KB

Download
memory/1960-197-0x0000000000DD0000-0x0000000000DDD000-memory.dmp

Filesize
52KB

Download
memory/2216-198-0x0000017C09D80000-0x0000017C09D81000-memory.dmp

Filesize
4KB

Download
memory/2240-184-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2240-183-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/2248-199-0x000001A3E4F10000-0x000001A3E4F11000-memory.dmp

Filesize
4KB

Download
memory/2284-200-0x0000011A0C040000-0x0000011A0C041000-memory.dmp

Filesize
4KB

Download
memory/2284-218-0x0000011A0C040000-0x0000011A0C041000-memory.dmp

Filesize
4KB

Download
memory/2424-148-0x0000000002A60000-0x00000000082C0000-memory.dmp

Filesize
88.4MB

Download
memory/2424-185-0x0000000002A60000-0x00000000082C0000-memory.dmp

Filesize
88.4MB

Download
memory/2424-139-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/2424-133-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/2512-201-0x00000165E3AD0000-0x00000165E3AD1000-memory.dmp

Filesize
4KB

Download
memory/2816-202-0x000001D585490000-0x000001D585491000-memory.dmp

Filesize
4KB

Download
memory/2884-203-0x0000022A2FB70000-0x0000022A2FB71000-memory.dmp

Filesize
4KB

Download
memory/2896-206-0x000001D418B50000-0x000001D418B51000-memory.dmp

Filesize
4KB

Download
memory/3348-174-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3580-178-0x0000000002C00000-0x0000000002C75000-memory.dmp

Filesize
468KB

Download
memory/3580-179-0x0000000002940000-0x00000000029AB000-memory.dmp

Filesize
428KB

Download
memory/3608-180-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/3808-175-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3848-205-0x0000027186460000-0x0000027186461000-memory.dmp

Filesize
4KB

Download
memory/3956-189-0x00000000012A0000-0x00000000012AC000-memory.dmp

Filesize
48KB

Download
memory/3956-188-0x00000000012B0000-0x00000000012B6000-memory.dmp

Filesize
24KB

Download
memory/4060-181-0x0000000002B20000-0x0000000002B27000-memory.dmp

Filesize
28KB

Download
memory/4060-182-0x0000000002B10000-0x0000000002B1B000-memory.dmp

Filesize
44KB

Download