smokeloader | 971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849

General

Target

971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe
Size

334KB
MD5

1c03d828f8851eca3faa34e9fc7fc202
SHA1

18309ec6c815702007e405e89834e2a06973b0ee
SHA256

971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849
SHA512

5b0e4cadf471a562b3f0df08c6fd3870b4e1c454029bde23186cd6cb2b6dfa8d4278d2fb1c15bb9baa3126df7cf1ea3fb55d6923d6ec486e65ac824269bdee09

Score

10^/10

smokeloader backdoor evasion persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2568 created 3624	2568	WerFault.exe	explorer.exe
PID 2604 created 2740	2604	WerFault.exe	DllHost.exe
PID 2736 created 2940	2736	WerFault.exe	DllHost.exe
PID 2432 created 3480	2432	WerFault.exe	DllHost.exe
PID 3196 created 2480	3196	WerFault.exe	DllHost.exe
PID 2236 created 1284	2236	WerFault.exe	DllHost.exe
PID 1604 created 4076	1604	WerFault.exe	DllHost.exe
PID 852 created 2140	852	WerFault.exe	DllHost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops file in Windows directory 1 IoCs

Processes:

TiWorker.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3196	3624	WerFault.exe	explorer.exe
1668	2740	WerFault.exe	DllHost.exe
1016	2940	WerFault.exe	DllHost.exe
1972	3480	WerFault.exe	DllHost.exe
1340	2480	WerFault.exe	DllHost.exe
2300	1284	WerFault.exe	DllHost.exe
1184	4076	WerFault.exe	DllHost.exe
3364	2140	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1540 tasklist.exe

pid	process
1540	tasklist.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

1616 ipconfig.exe
1204 NETSTAT.EXE
3920 NETSTAT.EXE
456 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2964 systeminfo.exe

pid	process
1616	ipconfig.exe
1204	NETSTAT.EXE
3920	NETSTAT.EXE
456	ipconfig.exe

pid	process
2964	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937705"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937705"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608b04ce6912d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349934800"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3342192270"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937705"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3344380032"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{48E30493-73F8-11EC-82D0-6233295FD4AC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3342192270"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000062e95fcc0d0bf49adaab2593ca7f892cd3701ba622a00332ba303df30a38cc0c000000000e8000000002000020000000128c8099d02e2ff36d866bf4d474680127c31898bd0a2caa3a794f0327ccf39620000000a6f993ca957610f5eb6a27203849904962dbf392e5ca074e01e5e46e408221e1400000007140acd8108244526368f3978a31c6dcfc0c19264191981853de0b598d4b47abf16fd37fb3513e020893b5dd4b28034520a6c53d3dd87065bf493d4316e59ec9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3344380032"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fbbccd6912d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000001f22526b0b9086cf447bdf8edc35ee1ae5d02cc711b6d28c3d8a5cf8c6db809b000000000e80000000020000200000004c610b52bfae36a5f88ed6c5a45171e5ff25ec5d39c245a932741127a41d321320000000da8c579fb1ccc36dc7b54c005ff04cc84bd3921fb90d3635a1001d748cb3208a40000000f7262db4819b19ef4cb1688c739ca8fe52542dc5935277a6e8af323432da05a51bc482da58a8aaa05ae0b82c7e79b2acf854b0079a70e4b4bda1201b90b03855	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937705"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe

pid	process
3416	971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe
3416	971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2444

pid	process
2444

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3416	971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe
2444
2444
2444
2444
2444
2444
1324	explorer.exe
1324	explorer.exe
2444
2444
864	explorer.exe
864	explorer.exe
2444
2444
2308	explorer.exe
2308	explorer.exe
2444
2444
3328	explorer.exe
3328	explorer.exe
2444
2444
1556	explorer.exe
1556	explorer.exe
1556	explorer.exe
1556	explorer.exe
2444
2444
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: 36	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: 36	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeSecurityPrivilege	2868	WMIC.exe
Token: SeTakeOwnershipPrivilege	2868	WMIC.exe
Token: SeLoadDriverPrivilege	2868	WMIC.exe
Token: SeSystemProfilePrivilege	2868	WMIC.exe
Token: SeSystemtimePrivilege	2868	WMIC.exe
Token: SeProfSingleProcessPrivilege	2868	WMIC.exe
Token: SeIncBasePriorityPrivilege	2868	WMIC.exe
Token: SeCreatePagefilePrivilege	2868	WMIC.exe
Token: SeBackupPrivilege	2868	WMIC.exe
Token: SeRestorePrivilege	2868	WMIC.exe
Token: SeShutdownPrivilege	2868	WMIC.exe
Token: SeDebugPrivilege	2868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2868	WMIC.exe
Token: SeRemoteShutdownPrivilege	2868	WMIC.exe
Token: SeUndockPrivilege	2868	WMIC.exe
Token: SeManageVolumePrivilege	2868	WMIC.exe
Token: 33	2868	WMIC.exe
Token: 34	2868	WMIC.exe
Token: 35	2868	WMIC.exe
Token: 36	2868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2896 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2896 iexplore.exe
2896 iexplore.exe
3448 IEXPLORE.EXE
3448 IEXPLORE.EXE

pid	process
2896	iexplore.exe

pid	process
2896	iexplore.exe
2896	iexplore.exe
3448	IEXPLORE.EXE
3448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2444 wrote to memory of 2960	2444		cmd.exe
PID 2444 wrote to memory of 2960	2444		cmd.exe
PID 2960 wrote to memory of 2964	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2964	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2868	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2868	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 1404	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 1404	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2464	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2464	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3404	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3404	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2352	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 2352	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3944	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3944	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3512	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3512	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 220	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 220	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 824	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 824	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 1336	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 1336	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3232	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3232	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3260	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3260	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3016	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 3016	2960	cmd.exe	WMIC.exe
PID 2960 wrote to memory of 1616	2960	cmd.exe	ipconfig.exe
PID 2960 wrote to memory of 1616	2960	cmd.exe	ipconfig.exe
PID 2960 wrote to memory of 828	2960	cmd.exe	ROUTE.EXE
PID 2960 wrote to memory of 828	2960	cmd.exe	ROUTE.EXE
PID 2960 wrote to memory of 3588	2960	cmd.exe	netsh.exe
PID 2960 wrote to memory of 3588	2960	cmd.exe	netsh.exe
PID 2960 wrote to memory of 2964	2960	cmd.exe	systeminfo.exe
PID 2960 wrote to memory of 2964	2960	cmd.exe	systeminfo.exe
PID 2960 wrote to memory of 1540	2960	cmd.exe	tasklist.exe
PID 2960 wrote to memory of 1540	2960	cmd.exe	tasklist.exe
PID 2960 wrote to memory of 1424	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 1424	2960	cmd.exe	net.exe
PID 1424 wrote to memory of 2604	1424	net.exe	net1.exe
PID 1424 wrote to memory of 2604	1424	net.exe	net1.exe
PID 2960 wrote to memory of 3856	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 3856	2960	cmd.exe	net.exe
PID 3856 wrote to memory of 2848	3856	net.exe	net1.exe
PID 3856 wrote to memory of 2848	3856	net.exe	net1.exe
PID 2960 wrote to memory of 3876	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 3876	2960	cmd.exe	net.exe
PID 3876 wrote to memory of 3216	3876	net.exe	net1.exe
PID 3876 wrote to memory of 3216	3876	net.exe	net1.exe
PID 2960 wrote to memory of 2884	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 2884	2960	cmd.exe	net.exe
PID 2884 wrote to memory of 3516	2884	net.exe	net1.exe
PID 2884 wrote to memory of 3516	2884	net.exe	net1.exe
PID 2960 wrote to memory of 3152	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 3152	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 960	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 960	2960	cmd.exe	net.exe
PID 960 wrote to memory of 3720	960	net.exe	net1.exe
PID 960 wrote to memory of 3720	960	net.exe	net1.exe
PID 2960 wrote to memory of 368	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 368	2960	cmd.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2240

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 992
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe
"C:\Users\Admin\AppData\Local\Temp\971926a7aab4443e8be8b6906e2fd25d0347ec61120a7983a786f476783eb849.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3416

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 5a9408068044c9e2ef19c6ea680feb22 mXXzQROENkiGuBKPD0WKJg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3956

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1404

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2464

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3404

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:2352

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3944

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3512

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:220

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:824

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:1336

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:3232

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3260

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3016

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:1616

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:828

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3588

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2964

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:1540

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:2604

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:2848

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:3216

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:3516

C:\Windows\system32\net.exe
net use
2⤵
PID:3152

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3720

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1896

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:812

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:920

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:3920

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:4084

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3924

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2200

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 872
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3624 -ip 3624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2568

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2308

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1556

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2740 -ip 2740
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2940 -s 840
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1016

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2940 -ip 2940
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3480 -s 772
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3480 -ip 3480
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2480 -s 324
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2480 -ip 2480
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3196

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1284 -s 824
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1284 -ip 1284
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4076 -s 732
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 4076 -ip 4076
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2140 -s 852
2⤵
- Program crash
PID:3364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 2140 -ip 2140
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-176-0x0000000000580000-0x0000000000587000-memory.dmp

Filesize
28KB

Download
memory/524-177-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/864-181-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download
memory/864-180-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

Filesize
36KB

Download
memory/1300-205-0x0000018230100000-0x0000018230101000-memory.dmp

Filesize
4KB

Download
memory/1324-178-0x00000000033B0000-0x00000000033B7000-memory.dmp

Filesize
28KB

Download
memory/1324-179-0x00000000033A0000-0x00000000033AB000-memory.dmp

Filesize
44KB

Download
memory/1556-186-0x0000000000E40000-0x0000000000E46000-memory.dmp

Filesize
24KB

Download
memory/1556-187-0x0000000000E30000-0x0000000000E3B000-memory.dmp

Filesize
44KB

Download
memory/2228-192-0x000001A06C320000-0x000001A06C321000-memory.dmp

Filesize
4KB

Download
memory/2240-193-0x00000208654D0000-0x00000208654D1000-memory.dmp

Filesize
4KB

Download
memory/2288-201-0x0000018D29EB0000-0x0000018D29EB1000-memory.dmp

Filesize
4KB

Download
memory/2308-183-0x00000000033A0000-0x00000000033A9000-memory.dmp

Filesize
36KB

Download
memory/2308-182-0x00000000033B0000-0x00000000033B5000-memory.dmp

Filesize
20KB

Download
memory/2444-134-0x0000000008220000-0x000000000822F000-memory.dmp

Filesize
60KB

Download
memory/2444-133-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

Filesize
88KB

Download
memory/2540-202-0x000001CEFECD0000-0x000001CEFECD1000-memory.dmp

Filesize
4KB

Download
memory/2836-208-0x00000287903F0000-0x00000287903F1000-memory.dmp

Filesize
4KB

Download
memory/2836-203-0x00000287903F0000-0x00000287903F1000-memory.dmp

Filesize
4KB

Download
memory/2900-204-0x000001ACEE9E0000-0x000001ACEE9E1000-memory.dmp

Filesize
4KB

Download
memory/2968-190-0x00000000012A0000-0x00000000012A7000-memory.dmp

Filesize
28KB

Download
memory/2968-191-0x0000000001290000-0x000000000129D000-memory.dmp

Filesize
52KB

Download
memory/3084-189-0x0000000004820000-0x000000000482B000-memory.dmp

Filesize
44KB

Download
memory/3084-188-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/3328-185-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/3328-184-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/3416-132-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3416-130-0x00000000007D0000-0x00000000007FB000-memory.dmp

Filesize
172KB

Download
memory/3416-131-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/3624-175-0x00000000006A0000-0x000000000070B000-memory.dmp

Filesize
428KB

Download
memory/3624-174-0x0000000000710000-0x0000000000785000-memory.dmp

Filesize
468KB

Download
memory/3668-206-0x0000020FE0670000-0x0000020FE0671000-memory.dmp

Filesize
4KB

Download
memory/3888-207-0x0000020352010000-0x0000020352011000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads