smokeloader | 454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855

General

Target

454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
Size

316KB
MD5

a3c870847b4131ad8320eba44d0b3013
SHA1

4be979a1d12e4d7deaff5165ce14e6d8449d0302
SHA256

454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855
SHA512

e7495fb42f109d402ef46eee2ed6edb1b2a4b8549a8883e5b884c3cc0c0d0b8a38888d4cc4d72583eaa79de78d4517ae8a56dee90403e5af94978f46f165d86f

Score

10^/10

smokeloader backdoor evasion persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 376 created 4056	376	WerFault.exe	explorer.exe
PID 2080 created 2788	2080	WerFault.exe	DllHost.exe
PID 3988 created 3044	3988	WerFault.exe	DllHost.exe
PID 3524 created 1928	3524	WerFault.exe	DllHost.exe
PID 3524 created 3632	3524	WerFault.exe	DllHost.exe
PID 716 created 3348	716	WerFault.exe	DllHost.exe
PID 1304 created 3472	1304	WerFault.exe	DllHost.exe
PID 1872 created 3324	1872	WerFault.exe	DllHost.exe
PID 2504 created 3376	2504	WerFault.exe	DllHost.exe
PID 2560 created 3360	2560	WerFault.exe	DllHost.exe
PID 2632 created 2940	2632	WerFault.exe	DllHost.exe
PID 1936 created 3316	1936	WerFault.exe	DllHost.exe
PID 4092 created 1276	4092	WerFault.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

rvtgwbh

pid process

2208 rvtgwbh
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops file in Windows directory 1 IoCs

Processes:

TiWorker.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe

pid	process
2208	rvtgwbh

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
716	4056	WerFault.exe	explorer.exe
3952	2788	WerFault.exe	DllHost.exe
800	3044	WerFault.exe	DllHost.exe
3080	1928	WerFault.exe	DllHost.exe
2832	3632	WerFault.exe	DllHost.exe
312	3348	WerFault.exe	DllHost.exe
676	3472	WerFault.exe	DllHost.exe
1996	3324	WerFault.exe	DllHost.exe
4092	3376	WerFault.exe	DllHost.exe
1440	3360	WerFault.exe	DllHost.exe
3336	2940	WerFault.exe	DllHost.exe
3004	3316	WerFault.exe	DllHost.exe
2104	1276	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exervtgwbh

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rvtgwbh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rvtgwbh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rvtgwbh

Checks processor information in registry 2 TTPs 39 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3480 tasklist.exe

pid	process
3480	tasklist.exe

Enumerates system info in registry 2 TTPs 26 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

2260 ipconfig.exe
768 NETSTAT.EXE
2964 NETSTAT.EXE
824 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2068 systeminfo.exe

pid	process
2260	ipconfig.exe
768	NETSTAT.EXE
2964	NETSTAT.EXE
824	ipconfig.exe

pid	process
2068	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000041c76c0727ed88972eecba9d351d0c981a0e0c76097a80cf882207cdee277669000000000e8000000002000020000000935036392c4725a1882d4dccfb96b3d1b5bb33dce67062209e73889c7aed941720000000335f02110d9919cd43671de1161462a4718ec775d0c84eb0c5bbf64655f6cdb6400000004804e6a2f7e4b0376d41f42c90e8aa2b1db67b0883d918808bdf6f2ad31acb015561b042da58fb4219b5aea345f987e923df5bad7aba8f745ee6fd5b62c5985f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{27558706-7E97-11EC-82D0-52E9CA6C9F63} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937763"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4229384117"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5058f9ffa312d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4229384117"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000000ee28f9825b31447356da05d701a09e6900eb04ba7c5efcce1d35f830f85d190000000000e8000000002000020000000d5543f1761988562aa954f53004925b27dd050f613afde9524b3e2faba425c8920000000268e3d39b832607bc95898f44293dbae213383eb11a5af3e2f96b03de3799028400000009ac1a0d0f721b41330c8eea0d3857441dcc00aa3ec8aac80a50db2b4cf480e5d433d166da21e87daa11a8cb2bf278d0017c8c321804edac5c2113de823a9d39b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4246571607"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e8d0ffa312d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937763"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349959798"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937763"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe

Modifies registry class 1 IoCs

Processes:

backgroundTaskHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache backgroundTaskHost.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe

pid	process
2516	454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
2516	454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2488

pid	process
2488

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2516	454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
2488
2488
2488
2488
2488
2488
3672	explorer.exe
3672	explorer.exe
2488
2488
1328	explorer.exe
1328	explorer.exe
2488
2488
1256	explorer.exe
1256	explorer.exe
2488
2488
816	explorer.exe
816	explorer.exe
2488
2488
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2612	explorer.exe
2488
2488
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: 36	1992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: 36	1992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	508	WMIC.exe
Token: SeSecurityPrivilege	508	WMIC.exe
Token: SeTakeOwnershipPrivilege	508	WMIC.exe
Token: SeLoadDriverPrivilege	508	WMIC.exe
Token: SeSystemProfilePrivilege	508	WMIC.exe
Token: SeSystemtimePrivilege	508	WMIC.exe
Token: SeProfSingleProcessPrivilege	508	WMIC.exe
Token: SeIncBasePriorityPrivilege	508	WMIC.exe
Token: SeCreatePagefilePrivilege	508	WMIC.exe
Token: SeBackupPrivilege	508	WMIC.exe
Token: SeRestorePrivilege	508	WMIC.exe
Token: SeShutdownPrivilege	508	WMIC.exe
Token: SeDebugPrivilege	508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	508	WMIC.exe
Token: SeRemoteShutdownPrivilege	508	WMIC.exe
Token: SeUndockPrivilege	508	WMIC.exe
Token: SeManageVolumePrivilege	508	WMIC.exe
Token: 33	508	WMIC.exe
Token: 34	508	WMIC.exe
Token: 35	508	WMIC.exe
Token: 36	508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	508	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3584 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3584 iexplore.exe
3584 iexplore.exe
1000 IEXPLORE.EXE
1000 IEXPLORE.EXE

pid	process
3584	iexplore.exe

pid	process
3584	iexplore.exe
3584	iexplore.exe
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2488 wrote to memory of 3920	2488		cmd.exe
PID 2488 wrote to memory of 3920	2488		cmd.exe
PID 3920 wrote to memory of 1992	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1992	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 508	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 508	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 768	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 768	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1640	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1640	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1276	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1276	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3628	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3628	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1452	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1452	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3672	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3672	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1812	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1812	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1996	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 1996	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3028	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3028	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 2716	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 2716	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3932	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3932	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3784	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 3784	3920	cmd.exe	WMIC.exe
PID 3920 wrote to memory of 2260	3920	cmd.exe	ipconfig.exe
PID 3920 wrote to memory of 2260	3920	cmd.exe	ipconfig.exe
PID 3920 wrote to memory of 3692	3920	cmd.exe	ROUTE.EXE
PID 3920 wrote to memory of 3692	3920	cmd.exe	ROUTE.EXE
PID 3920 wrote to memory of 2928	3920	cmd.exe	netsh.exe
PID 3920 wrote to memory of 2928	3920	cmd.exe	netsh.exe
PID 3920 wrote to memory of 2068	3920	cmd.exe	systeminfo.exe
PID 3920 wrote to memory of 2068	3920	cmd.exe	systeminfo.exe
PID 3920 wrote to memory of 3480	3920	cmd.exe	tasklist.exe
PID 3920 wrote to memory of 3480	3920	cmd.exe	tasklist.exe
PID 3920 wrote to memory of 3532	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 3532	3920	cmd.exe	net.exe
PID 3532 wrote to memory of 1248	3532	net.exe	net1.exe
PID 3532 wrote to memory of 1248	3532	net.exe	net1.exe
PID 3920 wrote to memory of 724	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 724	3920	cmd.exe	net.exe
PID 724 wrote to memory of 3988	724	net.exe	net1.exe
PID 724 wrote to memory of 3988	724	net.exe	net1.exe
PID 3920 wrote to memory of 3208	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 3208	3920	cmd.exe	net.exe
PID 3208 wrote to memory of 2956	3208	net.exe	net1.exe
PID 3208 wrote to memory of 2956	3208	net.exe	net1.exe
PID 3920 wrote to memory of 1864	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 1864	3920	cmd.exe	net.exe
PID 1864 wrote to memory of 452	1864	net.exe	net1.exe
PID 1864 wrote to memory of 452	1864	net.exe	net1.exe
PID 3920 wrote to memory of 2124	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 2124	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 3664	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 3664	3920	cmd.exe	net.exe
PID 3664 wrote to memory of 3488	3664	net.exe	net1.exe
PID 3664 wrote to memory of 3488	3664	net.exe	net1.exe
PID 3920 wrote to memory of 2084	3920	cmd.exe	net.exe
PID 3920 wrote to memory of 2084	3920	cmd.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2296

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2788 -s 848
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe
"C:\Users\Admin\AppData\Local\Temp\454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2516

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 41b12507354bb362ac71adec1d43a874 GR0me9U24E+ri1QlgabnZA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1328

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:768

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:1640

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:1276

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3628

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1452

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3672

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:1812

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:1996

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3028

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2716

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3932

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3784

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2260

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3692

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:2928

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2068

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3480

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:1248

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3988

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:2956

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:452

C:\Windows\system32\net.exe
net use
2⤵
PID:2124

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3488

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:2084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1016

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:2240

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2676

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:2964

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:3240

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1596

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1144

C:\Users\Admin\AppData\Roaming\rvtgwbh
C:\Users\Admin\AppData\Roaming\rvtgwbh
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2208

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4060

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Modifies registry class
PID:2968

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1788

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 900
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:716

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4056 -ip 4056
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:376

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2612

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2788 -ip 2788
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3044 -s 836
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3044 -ip 3044
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1928 -s 856
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:1016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1928 -ip 1928
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3632 -s 808
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 3632 -ip 3632
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3348 -s 964
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3472 -s 828
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3348 -ip 3348
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3472 -ip 3472
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1304

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3324 -s 780
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3324 -ip 3324
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3376 -s 768
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3376 -ip 3376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3360 -s 828
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3360 -ip 3360
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2940 -s 816
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2940 -ip 2940
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3316 -s 796
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 3316 -ip 3316
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1276 -s 840
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 1276 -ip 1276
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
MD5
14f71b27a47ce7269fb8941d2d4d58c0

SHA1
b5def0255732affd94850e75298ae55f9833c06d

SHA256
e625779b8c664bdc929c0997eea5b893e028a291fd048691f0ffad4492716758

SHA512
0d19522c77614f6cdda7cd43ee35541c784f1f762579d3c2a57cf8b2cf181b7ada33980e35d0d71ef6556179dc0723e72182c918220c7c004c1fdf5e53227729

Download Submit
C:\Users\Admin\AppData\Roaming\rvtgwbh
MD5
a3c870847b4131ad8320eba44d0b3013

SHA1
4be979a1d12e4d7deaff5165ce14e6d8449d0302

SHA256
454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855

SHA512
e7495fb42f109d402ef46eee2ed6edb1b2a4b8549a8883e5b884c3cc0c0d0b8a38888d4cc4d72583eaa79de78d4517ae8a56dee90403e5af94978f46f165d86f

Download Submit
memory/760-172-0x0000000000C80000-0x0000000000C87000-memory.dmp

Filesize
28KB

Download
memory/760-173-0x00000000009F0000-0x00000000009FD000-memory.dmp

Filesize
52KB

Download
memory/816-167-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/816-166-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1256-165-0x00000000030E0000-0x00000000030E9000-memory.dmp

Filesize
36KB

Download
memory/1256-164-0x00000000030F0000-0x00000000030F5000-memory.dmp

Filesize
20KB

Download
memory/1312-159-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/1328-162-0x0000000000F20000-0x0000000000F29000-memory.dmp

Filesize
36KB

Download
memory/1328-163-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/1664-608-0x00000217AE9A0000-0x00000217AE9A1000-memory.dmp

Filesize
4KB

Download
memory/1664-610-0x00000217AE9A0000-0x00000217AE9A1000-memory.dmp

Filesize
4KB

Download
memory/1996-1080-0x000001BEA9B00000-0x000001BEA9B0D000-memory.dmp

Filesize
52KB

Download
memory/2260-171-0x0000000004E30000-0x0000000004E3B000-memory.dmp

Filesize
44KB

Download
memory/2260-170-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2276-174-0x0000023F5FF20000-0x0000023F5FF21000-memory.dmp

Filesize
4KB

Download
memory/2296-175-0x0000027313DB0000-0x0000027313DB1000-memory.dmp

Filesize
4KB

Download
memory/2340-176-0x000002A5C9080000-0x000002A5C9081000-memory.dmp

Filesize
4KB

Download
memory/2488-134-0x0000000007090000-0x000000000709F000-memory.dmp

Filesize
60KB

Download
memory/2488-133-0x00000000026F0000-0x0000000002706000-memory.dmp

Filesize
88KB

Download
memory/2516-132-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2516-131-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/2516-130-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2600-177-0x000002BA91FE0000-0x000002BA91FE1000-memory.dmp

Filesize
4KB

Download
memory/2612-169-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/2612-168-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2888-178-0x0000028E4B580000-0x0000028E4B581000-memory.dmp

Filesize
4KB

Download
memory/2968-609-0x000001A645480000-0x000001A645481000-memory.dmp

Filesize
4KB

Download
memory/2972-322-0x0000022BF1F30000-0x0000022BF1F31000-memory.dmp

Filesize
4KB

Download
memory/3080-1077-0x000001F09DFE0000-0x000001F09DFED000-memory.dmp

Filesize
52KB

Download
memory/3144-469-0x000001B75EAB0000-0x000001B75EAB1000-memory.dmp

Filesize
4KB

Download
memory/3324-1078-0x000001BC676A0000-0x000001BC676A8000-memory.dmp

Filesize
32KB

Download
memory/3324-1079-0x000001BC676B0000-0x000001BC676B8000-memory.dmp

Filesize
32KB

Download
memory/3376-1081-0x0000022CABD40000-0x0000022CABD48000-memory.dmp

Filesize
32KB

Download
memory/3376-1083-0x0000022CABD60000-0x0000022CABD68000-memory.dmp

Filesize
32KB

Download
memory/3376-1084-0x0000022CABD50000-0x0000022CABD51000-memory.dmp

Filesize
4KB

Download
memory/3672-161-0x0000000002DF0000-0x0000000002DFB000-memory.dmp

Filesize
44KB

Download
memory/3672-160-0x0000000003080000-0x0000000003087000-memory.dmp

Filesize
28KB

Download
memory/4056-157-0x0000000000720000-0x0000000000795000-memory.dmp

Filesize
468KB

Download
memory/4056-158-0x00000000006B0000-0x000000000071B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads