redline | be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe7468.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7468.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7468.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7468.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3192 tasklist.exe

pid	process
3192	tasklist.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXEipconfig.exeipconfig.exeNETSTAT.EXE

pid process

3068 NETSTAT.EXE
764 ipconfig.exe
1964 ipconfig.exe
488 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1316 systeminfo.exe

pid	process
3068	NETSTAT.EXE
764	ipconfig.exe
1964	ipconfig.exe
488	NETSTAT.EXE

pid	process
1316	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937573"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2332498120"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2332498120"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6691D33-7DD8-11EC-82D0-7AB5AFB0B0FC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937573"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2349373581"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937573"	IEXPLORE.EXE

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe

pid	process
3292	be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
3292	be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412
2412

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2412

pid	process
2412

Suspicious behavior: MapViewOfSection 56 IoCs

Processes:

be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe7468.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3292	be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
1564	7468.exe
2412
2412
2412
2412
2412
2412
3940	explorer.exe
3940	explorer.exe
2412
2412
656	explorer.exe
656	explorer.exe
2412
2412
2128	explorer.exe
2128	explorer.exe
2412
2412
4088	explorer.exe
4088	explorer.exe
2412
2412
492	explorer.exe
492	explorer.exe
492	explorer.exe
492	explorer.exe
2412
2412
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

984D.exe984D.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3152	984D.exe
Token: SeShutdownPrivilege	2412
Token: SeCreatePagefilePrivilege	2412
Token: SeDebugPrivilege	3800	984D.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe
Token: SeLoadDriverPrivilege	1292	WMIC.exe
Token: SeSystemProfilePrivilege	1292	WMIC.exe
Token: SeSystemtimePrivilege	1292	WMIC.exe
Token: SeProfSingleProcessPrivilege	1292	WMIC.exe
Token: SeIncBasePriorityPrivilege	1292	WMIC.exe
Token: SeCreatePagefilePrivilege	1292	WMIC.exe
Token: SeBackupPrivilege	1292	WMIC.exe
Token: SeRestorePrivilege	1292	WMIC.exe
Token: SeShutdownPrivilege	1292	WMIC.exe
Token: SeDebugPrivilege	1292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1292	WMIC.exe
Token: SeRemoteShutdownPrivilege	1292	WMIC.exe
Token: SeUndockPrivilege	1292	WMIC.exe
Token: SeManageVolumePrivilege	1292	WMIC.exe
Token: 33	1292	WMIC.exe
Token: 34	1292	WMIC.exe
Token: 35	1292	WMIC.exe
Token: 36	1292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe
Token: SeLoadDriverPrivilege	1292	WMIC.exe
Token: SeSystemProfilePrivilege	1292	WMIC.exe
Token: SeSystemtimePrivilege	1292	WMIC.exe
Token: SeProfSingleProcessPrivilege	1292	WMIC.exe
Token: SeIncBasePriorityPrivilege	1292	WMIC.exe
Token: SeCreatePagefilePrivilege	1292	WMIC.exe
Token: SeBackupPrivilege	1292	WMIC.exe
Token: SeRestorePrivilege	1292	WMIC.exe
Token: SeShutdownPrivilege	1292	WMIC.exe
Token: SeDebugPrivilege	1292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1292	WMIC.exe
Token: SeRemoteShutdownPrivilege	1292	WMIC.exe
Token: SeUndockPrivilege	1292	WMIC.exe
Token: SeManageVolumePrivilege	1292	WMIC.exe
Token: 33	1292	WMIC.exe
Token: 34	1292	WMIC.exe
Token: 35	1292	WMIC.exe
Token: 36	1292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2916 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2916 iexplore.exe
2916 iexplore.exe
452 IEXPLORE.EXE
452 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2780 RuntimeBroker.exe

pid	process
2916	iexplore.exe

pid	process
2916	iexplore.exe
2916	iexplore.exe
452	IEXPLORE.EXE
452	IEXPLORE.EXE

pid	process
2780	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

984D.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2412 wrote to memory of 1564	2412		7468.exe
PID 2412 wrote to memory of 1564	2412		7468.exe
PID 2412 wrote to memory of 1564	2412		7468.exe
PID 2412 wrote to memory of 3152	2412		984D.exe
PID 2412 wrote to memory of 3152	2412		984D.exe
PID 2412 wrote to memory of 3152	2412		984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 3152 wrote to memory of 3800	3152	984D.exe	984D.exe
PID 2412 wrote to memory of 1772	2412		cmd.exe
PID 2412 wrote to memory of 1772	2412		cmd.exe
PID 1772 wrote to memory of 1292	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1292	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3580	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3580	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1140	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1140	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1316	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1316	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3036	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3036	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3692	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3692	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3636	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3636	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 488	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 488	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1484	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1484	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3068	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 3068	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 764	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 764	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 2132	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 2132	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 4024	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 4024	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 2844	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 2844	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1964	1772	cmd.exe	ipconfig.exe
PID 1772 wrote to memory of 1964	1772	cmd.exe	ipconfig.exe
PID 1772 wrote to memory of 1996	1772	cmd.exe	ROUTE.EXE
PID 1772 wrote to memory of 1996	1772	cmd.exe	ROUTE.EXE
PID 1772 wrote to memory of 3580	1772	cmd.exe	netsh.exe
PID 1772 wrote to memory of 3580	1772	cmd.exe	netsh.exe
PID 1772 wrote to memory of 1316	1772	cmd.exe	systeminfo.exe
PID 1772 wrote to memory of 1316	1772	cmd.exe	systeminfo.exe
PID 1772 wrote to memory of 3192	1772	cmd.exe	tasklist.exe
PID 1772 wrote to memory of 3192	1772	cmd.exe	tasklist.exe
PID 1772 wrote to memory of 2180	1772	cmd.exe	net.exe
PID 1772 wrote to memory of 2180	1772	cmd.exe	net.exe
PID 2180 wrote to memory of 2432	2180	net.exe	net1.exe
PID 2180 wrote to memory of 2432	2180	net.exe	net1.exe
PID 1772 wrote to memory of 3940	1772	cmd.exe	net.exe
PID 1772 wrote to memory of 3940	1772	cmd.exe	net.exe
PID 3940 wrote to memory of 2236	3940	net.exe	net1.exe
PID 3940 wrote to memory of 2236	3940	net.exe	net1.exe
PID 1772 wrote to memory of 2932	1772	cmd.exe	net.exe
PID 1772 wrote to memory of 2932	1772	cmd.exe	net.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:2780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2720 -s 1012
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2524

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe
"C:\Users\Admin\AppData\Local\Temp\be2217174a9927d8df6977aca91f733234854a7d58ea4a4379a6c5735a9200f1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3292

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e5e5e0cbfee086840323a7c126870ba5 YUZr/UheakC/FjzEQ2ieDg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3592

C:\Users\Admin\AppData\Local\Temp\7468.exe
C:\Users\Admin\AppData\Local\Temp\7468.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1564

C:\Users\Admin\AppData\Local\Temp\984D.exe
C:\Users\Admin\AppData\Local\Temp\984D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\984D.exe
C:\Users\Admin\AppData\Local\Temp\984D.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1140

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:1316

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3036

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3692

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3636

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:488

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:1484

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3068

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:764

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2132

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:4024

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:2844

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:1964

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:1996

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3580

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1316

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3192

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:2432

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:2236

C:\Windows\system32\net.exe
net user
2⤵
PID:2932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:656

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:3404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:3860

C:\Windows\system32\net.exe
net use
2⤵
PID:4056

C:\Windows\system32\net.exe
net group
2⤵
PID:4068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3684

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:3636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3452

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:844

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:3176

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:3068

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:4092

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:800

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2604

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 884
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1888

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4060 -ip 4060
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3260

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3940

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2128

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:492

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2720 -ip 2720
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2180 -s 832
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 2180 -ip 2180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3548 -s 780
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3548 -ip 3548
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

Peripheral Device Discovery

T1120

System Information Discovery

5

Process Discovery