smokeloader | e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2340 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1344 systeminfo.exe

pid	process
2340	ipconfig.exe

pid	process
1344	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000d25f3b77d4f48a4e1d5b70a315f4e9e4feed068f6fa7277b4788178f399c433b000000000e8000000002000020000000e875d4e6799a40a804d983d4257bf79a5db252269221ab9d17750be5aa49332b200000004145312ad5b7e3d388805a1f07ca03f60554212291c3dd5f5e131bb7fddda846400000005ca117681abd7d27fb3053151519377c77e60be5d392e1d85b29e375558256588617efbe18a88bee27e339f5ebbee37d835a8b95a85b11f656a27ca1ebbd65fd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000000b51f6b61d1d5df33ac490df6d938379bd84df004e7ee08bdfc93650ae662c69000000000e80000000020000200000007be8ab50a44f3b165eb736891773b4a3d7e0fbb06e91c06849d5d4ffeec423cb20000000ead6b5aa8a54d87f87752504c2648ad6893639a4c2055556a7336a1ef2cbcc83400000009b726a266a7bbfe400d8b6539714233d70635339e44002005f3e0117a482456bfe6b0d63b256be0749c07d01c223c07558aa8f8201621c465e25db1bbe473532	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "162635857"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "130135128"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937715"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0727a0c7312d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937715"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937715"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a5620c7312d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{32E5BC14-7E66-11EC-82D0-5ECADF14C037} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "130135128"	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe

pid	process
1240	e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe
1240	e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520
2520

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2520

pid	process
2520

Suspicious behavior: MapViewOfSection 61 IoCs

Processes:

e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1240	e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe
2520
2520
2520
2520
2520
2520
3840	explorer.exe
3840	explorer.exe
2520
2520
3864	explorer.exe
3864	explorer.exe
2520
2520
4008	explorer.exe
4008	explorer.exe
2520
2520
2660	explorer.exe
2660	explorer.exe
2520
2520
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2520
2520
3140	explorer.exe
3140	explorer.exe
2308	explorer.exe
2308	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe
3140	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3780	WMIC.exe
Token: SeSecurityPrivilege	3780	WMIC.exe
Token: SeTakeOwnershipPrivilege	3780	WMIC.exe
Token: SeLoadDriverPrivilege	3780	WMIC.exe
Token: SeSystemProfilePrivilege	3780	WMIC.exe
Token: SeSystemtimePrivilege	3780	WMIC.exe
Token: SeProfSingleProcessPrivilege	3780	WMIC.exe
Token: SeIncBasePriorityPrivilege	3780	WMIC.exe
Token: SeCreatePagefilePrivilege	3780	WMIC.exe
Token: SeBackupPrivilege	3780	WMIC.exe
Token: SeRestorePrivilege	3780	WMIC.exe
Token: SeShutdownPrivilege	3780	WMIC.exe
Token: SeDebugPrivilege	3780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3780	WMIC.exe
Token: SeRemoteShutdownPrivilege	3780	WMIC.exe
Token: SeUndockPrivilege	3780	WMIC.exe
Token: SeManageVolumePrivilege	3780	WMIC.exe
Token: 33	3780	WMIC.exe
Token: 34	3780	WMIC.exe
Token: 35	3780	WMIC.exe
Token: 36	3780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3780	WMIC.exe
Token: SeSecurityPrivilege	3780	WMIC.exe
Token: SeTakeOwnershipPrivilege	3780	WMIC.exe
Token: SeLoadDriverPrivilege	3780	WMIC.exe
Token: SeSystemProfilePrivilege	3780	WMIC.exe
Token: SeSystemtimePrivilege	3780	WMIC.exe
Token: SeProfSingleProcessPrivilege	3780	WMIC.exe
Token: SeIncBasePriorityPrivilege	3780	WMIC.exe
Token: SeCreatePagefilePrivilege	3780	WMIC.exe
Token: SeBackupPrivilege	3780	WMIC.exe
Token: SeRestorePrivilege	3780	WMIC.exe
Token: SeShutdownPrivilege	3780	WMIC.exe
Token: SeDebugPrivilege	3780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3780	WMIC.exe
Token: SeRemoteShutdownPrivilege	3780	WMIC.exe
Token: SeUndockPrivilege	3780	WMIC.exe
Token: SeManageVolumePrivilege	3780	WMIC.exe
Token: 33	3780	WMIC.exe
Token: 34	3780	WMIC.exe
Token: 35	3780	WMIC.exe
Token: 36	3780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3104	WMIC.exe
Token: SeSecurityPrivilege	3104	WMIC.exe
Token: SeTakeOwnershipPrivilege	3104	WMIC.exe
Token: SeLoadDriverPrivilege	3104	WMIC.exe
Token: SeSystemProfilePrivilege	3104	WMIC.exe
Token: SeSystemtimePrivilege	3104	WMIC.exe
Token: SeProfSingleProcessPrivilege	3104	WMIC.exe
Token: SeIncBasePriorityPrivilege	3104	WMIC.exe
Token: SeCreatePagefilePrivilege	3104	WMIC.exe
Token: SeBackupPrivilege	3104	WMIC.exe
Token: SeRestorePrivilege	3104	WMIC.exe
Token: SeShutdownPrivilege	3104	WMIC.exe
Token: SeDebugPrivilege	3104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3104	WMIC.exe
Token: SeRemoteShutdownPrivilege	3104	WMIC.exe
Token: SeUndockPrivilege	3104	WMIC.exe
Token: SeManageVolumePrivilege	3104	WMIC.exe
Token: 33	3104	WMIC.exe
Token: 34	3104	WMIC.exe
Token: 35	3104	WMIC.exe
Token: 36	3104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3104	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2236 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2236 iexplore.exe
2236 iexplore.exe
3916 IEXPLORE.EXE
3916 IEXPLORE.EXE

pid	process
2236	iexplore.exe

pid	process
2236	iexplore.exe
2236	iexplore.exe
3916	IEXPLORE.EXE
3916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeiexplore.exeexplorer.exeWerFault.exeexplorer.exe

description	pid	process	target process
PID 2520 wrote to memory of 3176	2520		cmd.exe
PID 2520 wrote to memory of 3176	2520		cmd.exe
PID 3176 wrote to memory of 3780	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3780	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3104	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3104	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 952	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 952	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3196	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3196	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 1252	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 1252	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 2304	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 2304	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 796	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 796	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 4056	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 4056	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3432	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3432	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 1168	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 1168	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3440	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3440	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3284	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3284	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 1608	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 1608	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3668	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 3668	3176	cmd.exe	WMIC.exe
PID 3176 wrote to memory of 2340	3176	cmd.exe	ipconfig.exe
PID 3176 wrote to memory of 2340	3176	cmd.exe	ipconfig.exe
PID 3176 wrote to memory of 3676	3176	cmd.exe	ROUTE.EXE
PID 3176 wrote to memory of 3676	3176	cmd.exe	ROUTE.EXE
PID 3176 wrote to memory of 3076	3176	cmd.exe	netsh.exe
PID 3176 wrote to memory of 3076	3176	cmd.exe	netsh.exe
PID 3176 wrote to memory of 1344	3176	cmd.exe	systeminfo.exe
PID 3176 wrote to memory of 1344	3176	cmd.exe	systeminfo.exe
PID 2236 wrote to memory of 3916	2236	iexplore.exe	IEXPLORE.EXE
PID 2236 wrote to memory of 3916	2236	iexplore.exe	IEXPLORE.EXE
PID 2236 wrote to memory of 3916	2236	iexplore.exe	IEXPLORE.EXE
PID 2520 wrote to memory of 1120	2520		explorer.exe
PID 2520 wrote to memory of 1120	2520		explorer.exe
PID 2520 wrote to memory of 1120	2520		explorer.exe
PID 2520 wrote to memory of 1120	2520		explorer.exe
PID 2520 wrote to memory of 864	2520		explorer.exe
PID 2520 wrote to memory of 864	2520		explorer.exe
PID 2520 wrote to memory of 864	2520		explorer.exe
PID 2520 wrote to memory of 3840	2520		explorer.exe
PID 2520 wrote to memory of 3840	2520		explorer.exe
PID 2520 wrote to memory of 3840	2520		explorer.exe
PID 2520 wrote to memory of 3840	2520		explorer.exe
PID 3840 wrote to memory of 3916	3840	explorer.exe	IEXPLORE.EXE
PID 3840 wrote to memory of 3916	3840	explorer.exe	IEXPLORE.EXE
PID 1544 wrote to memory of 1120	1544	WerFault.exe	explorer.exe
PID 1544 wrote to memory of 1120	1544	WerFault.exe	explorer.exe
PID 2520 wrote to memory of 3864	2520		explorer.exe
PID 2520 wrote to memory of 3864	2520		explorer.exe
PID 2520 wrote to memory of 3864	2520		explorer.exe
PID 3864 wrote to memory of 2236	3864	explorer.exe	iexplore.exe
PID 3864 wrote to memory of 2236	3864	explorer.exe	iexplore.exe
PID 2520 wrote to memory of 4008	2520		explorer.exe
PID 2520 wrote to memory of 4008	2520		explorer.exe
PID 2520 wrote to memory of 4008	2520		explorer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3236

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2800 -s 964
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2612

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe
"C:\Users\Admin\AppData\Local\Temp\e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1240

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8363d1e133f559253abfb6f2ba463f87 omc2//L2GE+ip2xL58nQkA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:2928

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:952

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:3196

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:1252

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:2304

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:796

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:4056

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3432

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:1168

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3440

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:3284

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:1608

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3668

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2340

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3676

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3076

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2512

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3084

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3488

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:4044

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 876
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3516

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1120 -ip 1120
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2660

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2308

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2800 -ip 2800
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1280 -s 832
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 1280 -ip 1280
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 460 -s 796
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 460 -ip 460
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3076 -s 804
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3076 -ip 3076
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 528 -s 804
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 528 -ip 528
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

Peripheral Device Discovery

T1120

System Information Discovery

5