smokeloader | a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2284 tasklist.exe

pid	process
2284	tasklist.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

3892 ipconfig.exe
216 NETSTAT.EXE
3932 NETSTAT.EXE
696 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1784 systeminfo.exe

pid	process
3892	ipconfig.exe
216	NETSTAT.EXE
3932	NETSTAT.EXE
696	ipconfig.exe

pid	process
1784	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937853"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2931582223"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400162b3fd12d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2953143944"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2931582223"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA08F5E0-7EF0-11EC-82D0-6233295FD4AC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937853"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e86db3fd12d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937853"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349998324"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000e549a153a687d0dfa532f92906e27552d348b1781465f14788e96b671275944f000000000e8000000002000020000000de9154f99a1a1db8939f4f49f4d0fb49bfcb60ab80b94f9d687af76ab667fc1a2000000038ab6e417caa0611612a9d77866b35c036ea5ab852d2b0883c2cb355fe821e544000000050247e62e1cdadf3c6b907b64da93c7daba93b9e21311b5b650991b1ac6979fc09bddf9a387b79ac8976ab1500d3184aeb8ade904b6aa5e72f1113701ba5c42d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000009ea17acbf628704d8ffbd074eaad154aafe0c7abb75a17bc164ebb6615f5e446000000000e80000000020000200000000f37533ad82f15cc86f734a2ccee65e12ad30a849b6e51daabe80625438ff3a120000000127c2e1176450b8de881ddb22f7b207f4714eb9b1d50b298c57ccb71cb42975240000000cad197f58aa153df8d042f39cf738ba7ac3cb0da96d81ad17d95eae09f3e062236a9bb18b48fbb680941a90cd38ffb2e7c1e7a70afe5a58646a1e1f8a8851a86	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe

pid	process
3904	a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
3904	a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444
2444

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2444

pid	process
2444

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3904	a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
2444
2444
2444
2444
2444
2444
3900	explorer.exe
3900	explorer.exe
2444
2444
2256	explorer.exe
2256	explorer.exe
2444
2444
3832	explorer.exe
3832	explorer.exe
2444
2444
1208	explorer.exe
1208	explorer.exe
2444
2444
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
2444
2444
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3116	WMIC.exe
Token: SeSecurityPrivilege	3116	WMIC.exe
Token: SeTakeOwnershipPrivilege	3116	WMIC.exe
Token: SeLoadDriverPrivilege	3116	WMIC.exe
Token: SeSystemProfilePrivilege	3116	WMIC.exe
Token: SeSystemtimePrivilege	3116	WMIC.exe
Token: SeProfSingleProcessPrivilege	3116	WMIC.exe
Token: SeIncBasePriorityPrivilege	3116	WMIC.exe
Token: SeCreatePagefilePrivilege	3116	WMIC.exe
Token: SeBackupPrivilege	3116	WMIC.exe
Token: SeRestorePrivilege	3116	WMIC.exe
Token: SeShutdownPrivilege	3116	WMIC.exe
Token: SeDebugPrivilege	3116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3116	WMIC.exe
Token: SeRemoteShutdownPrivilege	3116	WMIC.exe
Token: SeUndockPrivilege	3116	WMIC.exe
Token: SeManageVolumePrivilege	3116	WMIC.exe
Token: 33	3116	WMIC.exe
Token: 34	3116	WMIC.exe
Token: 35	3116	WMIC.exe
Token: 36	3116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3116	WMIC.exe
Token: SeSecurityPrivilege	3116	WMIC.exe
Token: SeTakeOwnershipPrivilege	3116	WMIC.exe
Token: SeLoadDriverPrivilege	3116	WMIC.exe
Token: SeSystemProfilePrivilege	3116	WMIC.exe
Token: SeSystemtimePrivilege	3116	WMIC.exe
Token: SeProfSingleProcessPrivilege	3116	WMIC.exe
Token: SeIncBasePriorityPrivilege	3116	WMIC.exe
Token: SeCreatePagefilePrivilege	3116	WMIC.exe
Token: SeBackupPrivilege	3116	WMIC.exe
Token: SeRestorePrivilege	3116	WMIC.exe
Token: SeShutdownPrivilege	3116	WMIC.exe
Token: SeDebugPrivilege	3116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3116	WMIC.exe
Token: SeRemoteShutdownPrivilege	3116	WMIC.exe
Token: SeUndockPrivilege	3116	WMIC.exe
Token: SeManageVolumePrivilege	3116	WMIC.exe
Token: 33	3116	WMIC.exe
Token: 34	3116	WMIC.exe
Token: 35	3116	WMIC.exe
Token: 36	3116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe
Token: SeSecurityPrivilege	816	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	WMIC.exe
Token: SeLoadDriverPrivilege	816	WMIC.exe
Token: SeSystemProfilePrivilege	816	WMIC.exe
Token: SeSystemtimePrivilege	816	WMIC.exe
Token: SeProfSingleProcessPrivilege	816	WMIC.exe
Token: SeIncBasePriorityPrivilege	816	WMIC.exe
Token: SeCreatePagefilePrivilege	816	WMIC.exe
Token: SeBackupPrivilege	816	WMIC.exe
Token: SeRestorePrivilege	816	WMIC.exe
Token: SeShutdownPrivilege	816	WMIC.exe
Token: SeDebugPrivilege	816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	816	WMIC.exe
Token: SeRemoteShutdownPrivilege	816	WMIC.exe
Token: SeUndockPrivilege	816	WMIC.exe
Token: SeManageVolumePrivilege	816	WMIC.exe
Token: 33	816	WMIC.exe
Token: 34	816	WMIC.exe
Token: 35	816	WMIC.exe
Token: 36	816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1652 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1652 iexplore.exe
1652 iexplore.exe
3760 IEXPLORE.EXE
3760 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3888 RuntimeBroker.exe

pid	process
1652	iexplore.exe

pid	process
1652	iexplore.exe
1652	iexplore.exe
3760	IEXPLORE.EXE
3760	IEXPLORE.EXE

pid	process
3888	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2444 wrote to memory of 1436	2444		cmd.exe
PID 2444 wrote to memory of 1436	2444		cmd.exe
PID 1436 wrote to memory of 3116	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3116	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 816	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 816	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2852	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2852	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3452	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3452	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3120	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3120	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 1476	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 1476	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 4020	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 4020	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 1972	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 1972	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2644	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2644	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3776	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3776	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 380	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 380	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2504	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2504	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2456	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 2456	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3440	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3440	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 3892	1436	cmd.exe	ipconfig.exe
PID 1436 wrote to memory of 3892	1436	cmd.exe	ipconfig.exe
PID 1436 wrote to memory of 936	1436	cmd.exe	ROUTE.EXE
PID 1436 wrote to memory of 936	1436	cmd.exe	ROUTE.EXE
PID 1436 wrote to memory of 3136	1436	cmd.exe	netsh.exe
PID 1436 wrote to memory of 3136	1436	cmd.exe	netsh.exe
PID 1436 wrote to memory of 1784	1436	cmd.exe	systeminfo.exe
PID 1436 wrote to memory of 1784	1436	cmd.exe	systeminfo.exe
PID 1436 wrote to memory of 2284	1436	cmd.exe	tasklist.exe
PID 1436 wrote to memory of 2284	1436	cmd.exe	tasklist.exe
PID 1436 wrote to memory of 2456	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 2456	1436	cmd.exe	net.exe
PID 2456 wrote to memory of 3416	2456	net.exe	net1.exe
PID 2456 wrote to memory of 3416	2456	net.exe	net1.exe
PID 1436 wrote to memory of 2588	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 2588	1436	cmd.exe	net.exe
PID 2588 wrote to memory of 2168	2588	net.exe	net1.exe
PID 2588 wrote to memory of 2168	2588	net.exe	net1.exe
PID 1436 wrote to memory of 3224	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 3224	1436	cmd.exe	net.exe
PID 3224 wrote to memory of 4064	3224	net.exe	net1.exe
PID 3224 wrote to memory of 4064	3224	net.exe	net1.exe
PID 1436 wrote to memory of 4052	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 4052	1436	cmd.exe	net.exe
PID 4052 wrote to memory of 2236	4052	net.exe	net1.exe
PID 4052 wrote to memory of 2236	4052	net.exe	net1.exe
PID 1436 wrote to memory of 2308	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 2308	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 3524	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 3524	1436	cmd.exe	net.exe
PID 3524 wrote to memory of 1680	3524	net.exe	net1.exe
PID 3524 wrote to memory of 1680	3524	net.exe	net1.exe
PID 1436 wrote to memory of 3684	1436	cmd.exe	net.exe
PID 1436 wrote to memory of 3684	1436	cmd.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2228

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 944
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
"C:\Users\Admin\AppData\Local\Temp\a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3904

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e715c4a683a02a7df508e92428f60cb1 mXXzQROENkiGuBKPD0WKJg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4064

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2852

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:3452

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3120

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:1476

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:4020

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:1972

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2644

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3776

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:380

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2504

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:2456

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3440

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3892

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:936

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3136

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1784

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2284

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3416

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:2168

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:4064

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2236

C:\Windows\system32\net.exe
net use
2⤵
PID:2308

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:1680

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:3684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:2828

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:3992

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:3152

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:3932

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:1272

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1812

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3848

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:2020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 892
2⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2588

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2944 -ip 2944
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3832

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1208

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3012

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2740 -ip 2740
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2588 -s 776
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 2588 -ip 2588
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2392 -s 816
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 2392 -ip 2392
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1520 -s 808
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1520 -ip 1520
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2596 -s 792
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 2596 -ip 2596
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1184 -s 848
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1184 -ip 1184
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

Peripheral Device Discovery

T1120

System Information Discovery

5

Process Discovery