Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
26-01-2022 20:41
Static task
static1
Behavioral task
behavioral1
Sample
a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
Resource
win10v2004-en-20220112
General
-
Target
a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe
-
Size
356KB
-
MD5
594a5d0869620855f89487ba04420a6e
-
SHA1
0694e7e225cae7c8039e1feb20fe1784acd52061
-
SHA256
a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101
-
SHA512
2f7715a4bd64d8f45eb5e47b6edff1f6f6fa403659badbfd08528a6a95d4e7f152412e084de7fd5ba8ada2da22a2539c9cc6e23e6e620b3748b5beef11d0f5dc
Malware Config
Extracted
smokeloader
2020
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3256 created 2944 3256 WerFault.exe explorer.exe PID 2580 created 2740 2580 WerFault.exe DllHost.exe PID 2564 created 2588 2564 WerFault.exe DllHost.exe PID 2504 created 2392 2504 WerFault.exe DllHost.exe PID 3368 created 1520 3368 WerFault.exe DllHost.exe PID 1256 created 2596 1256 WerFault.exe DllHost.exe PID 1272 created 1184 1272 WerFault.exe DllHost.exe -
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
WerFault.exeTiWorker.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2588 2944 WerFault.exe explorer.exe 3788 2740 WerFault.exe DllHost.exe 1420 2588 WerFault.exe DllHost.exe 1796 2392 WerFault.exe DllHost.exe 2744 1520 WerFault.exe DllHost.exe 3352 2596 WerFault.exe DllHost.exe 1796 1184 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe -
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 3892 ipconfig.exe 216 NETSTAT.EXE 3932 NETSTAT.EXE 696 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937853" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2931582223" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400162b3fd12d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2953143944" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2931582223" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA08F5E0-7EF0-11EC-82D0-6233295FD4AC} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937853" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e86db3fd12d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937853" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349998324" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000e549a153a687d0dfa532f92906e27552d348b1781465f14788e96b671275944f000000000e8000000002000020000000de9154f99a1a1db8939f4f49f4d0fb49bfcb60ab80b94f9d687af76ab667fc1a2000000038ab6e417caa0611612a9d77866b35c036ea5ab852d2b0883c2cb355fe821e544000000050247e62e1cdadf3c6b907b64da93c7daba93b9e21311b5b650991b1ac6979fc09bddf9a387b79ac8976ab1500d3184aeb8ade904b6aa5e72f1113701ba5c42d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000009ea17acbf628704d8ffbd074eaad154aafe0c7abb75a17bc164ebb6615f5e446000000000e80000000020000200000000f37533ad82f15cc86f734a2ccee65e12ad30a849b6e51daabe80625438ff3a120000000127c2e1176450b8de881ddb22f7b207f4714eb9b1d50b298c57ccb71cb42975240000000cad197f58aa153df8d042f39cf738ba7ac3cb0da96d81ad17d95eae09f3e062236a9bb18b48fbb680941a90cd38ffb2e7c1e7a70afe5a58646a1e1f8a8851a86 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exepid process 3904 a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe 3904 a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2444 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3904 a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe 2444 2444 2444 2444 2444 2444 3900 explorer.exe 3900 explorer.exe 2444 2444 2256 explorer.exe 2256 explorer.exe 2444 2444 3832 explorer.exe 3832 explorer.exe 2444 2444 1208 explorer.exe 1208 explorer.exe 2444 2444 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 2444 2444 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe 360 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3116 WMIC.exe Token: SeSecurityPrivilege 3116 WMIC.exe Token: SeTakeOwnershipPrivilege 3116 WMIC.exe Token: SeLoadDriverPrivilege 3116 WMIC.exe Token: SeSystemProfilePrivilege 3116 WMIC.exe Token: SeSystemtimePrivilege 3116 WMIC.exe Token: SeProfSingleProcessPrivilege 3116 WMIC.exe Token: SeIncBasePriorityPrivilege 3116 WMIC.exe Token: SeCreatePagefilePrivilege 3116 WMIC.exe Token: SeBackupPrivilege 3116 WMIC.exe Token: SeRestorePrivilege 3116 WMIC.exe Token: SeShutdownPrivilege 3116 WMIC.exe Token: SeDebugPrivilege 3116 WMIC.exe Token: SeSystemEnvironmentPrivilege 3116 WMIC.exe Token: SeRemoteShutdownPrivilege 3116 WMIC.exe Token: SeUndockPrivilege 3116 WMIC.exe Token: SeManageVolumePrivilege 3116 WMIC.exe Token: 33 3116 WMIC.exe Token: 34 3116 WMIC.exe Token: 35 3116 WMIC.exe Token: 36 3116 WMIC.exe Token: SeIncreaseQuotaPrivilege 3116 WMIC.exe Token: SeSecurityPrivilege 3116 WMIC.exe Token: SeTakeOwnershipPrivilege 3116 WMIC.exe Token: SeLoadDriverPrivilege 3116 WMIC.exe Token: SeSystemProfilePrivilege 3116 WMIC.exe Token: SeSystemtimePrivilege 3116 WMIC.exe Token: SeProfSingleProcessPrivilege 3116 WMIC.exe Token: SeIncBasePriorityPrivilege 3116 WMIC.exe Token: SeCreatePagefilePrivilege 3116 WMIC.exe Token: SeBackupPrivilege 3116 WMIC.exe Token: SeRestorePrivilege 3116 WMIC.exe Token: SeShutdownPrivilege 3116 WMIC.exe Token: SeDebugPrivilege 3116 WMIC.exe Token: SeSystemEnvironmentPrivilege 3116 WMIC.exe Token: SeRemoteShutdownPrivilege 3116 WMIC.exe Token: SeUndockPrivilege 3116 WMIC.exe Token: SeManageVolumePrivilege 3116 WMIC.exe Token: 33 3116 WMIC.exe Token: 34 3116 WMIC.exe Token: 35 3116 WMIC.exe Token: 36 3116 WMIC.exe Token: SeIncreaseQuotaPrivilege 816 WMIC.exe Token: SeSecurityPrivilege 816 WMIC.exe Token: SeTakeOwnershipPrivilege 816 WMIC.exe Token: SeLoadDriverPrivilege 816 WMIC.exe Token: SeSystemProfilePrivilege 816 WMIC.exe Token: SeSystemtimePrivilege 816 WMIC.exe Token: SeProfSingleProcessPrivilege 816 WMIC.exe Token: SeIncBasePriorityPrivilege 816 WMIC.exe Token: SeCreatePagefilePrivilege 816 WMIC.exe Token: SeBackupPrivilege 816 WMIC.exe Token: SeRestorePrivilege 816 WMIC.exe Token: SeShutdownPrivilege 816 WMIC.exe Token: SeDebugPrivilege 816 WMIC.exe Token: SeSystemEnvironmentPrivilege 816 WMIC.exe Token: SeRemoteShutdownPrivilege 816 WMIC.exe Token: SeUndockPrivilege 816 WMIC.exe Token: SeManageVolumePrivilege 816 WMIC.exe Token: 33 816 WMIC.exe Token: 34 816 WMIC.exe Token: 35 816 WMIC.exe Token: 36 816 WMIC.exe Token: SeIncreaseQuotaPrivilege 816 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1652 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1652 iexplore.exe 1652 iexplore.exe 3760 IEXPLORE.EXE 3760 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RuntimeBroker.exepid process 3888 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2444 wrote to memory of 1436 2444 cmd.exe PID 2444 wrote to memory of 1436 2444 cmd.exe PID 1436 wrote to memory of 3116 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3116 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 816 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 816 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2852 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2852 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3452 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3452 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3120 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3120 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 1476 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 1476 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 4020 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 4020 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 1972 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 1972 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2644 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2644 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3776 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3776 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 380 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 380 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2504 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2504 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2456 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 2456 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3440 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3440 1436 cmd.exe WMIC.exe PID 1436 wrote to memory of 3892 1436 cmd.exe ipconfig.exe PID 1436 wrote to memory of 3892 1436 cmd.exe ipconfig.exe PID 1436 wrote to memory of 936 1436 cmd.exe ROUTE.EXE PID 1436 wrote to memory of 936 1436 cmd.exe ROUTE.EXE PID 1436 wrote to memory of 3136 1436 cmd.exe netsh.exe PID 1436 wrote to memory of 3136 1436 cmd.exe netsh.exe PID 1436 wrote to memory of 1784 1436 cmd.exe systeminfo.exe PID 1436 wrote to memory of 1784 1436 cmd.exe systeminfo.exe PID 1436 wrote to memory of 2284 1436 cmd.exe tasklist.exe PID 1436 wrote to memory of 2284 1436 cmd.exe tasklist.exe PID 1436 wrote to memory of 2456 1436 cmd.exe net.exe PID 1436 wrote to memory of 2456 1436 cmd.exe net.exe PID 2456 wrote to memory of 3416 2456 net.exe net1.exe PID 2456 wrote to memory of 3416 2456 net.exe net1.exe PID 1436 wrote to memory of 2588 1436 cmd.exe net.exe PID 1436 wrote to memory of 2588 1436 cmd.exe net.exe PID 2588 wrote to memory of 2168 2588 net.exe net1.exe PID 2588 wrote to memory of 2168 2588 net.exe net1.exe PID 1436 wrote to memory of 3224 1436 cmd.exe net.exe PID 1436 wrote to memory of 3224 1436 cmd.exe net.exe PID 3224 wrote to memory of 4064 3224 net.exe net1.exe PID 3224 wrote to memory of 4064 3224 net.exe net1.exe PID 1436 wrote to memory of 4052 1436 cmd.exe net.exe PID 1436 wrote to memory of 4052 1436 cmd.exe net.exe PID 4052 wrote to memory of 2236 4052 net.exe net1.exe PID 4052 wrote to memory of 2236 4052 net.exe net1.exe PID 1436 wrote to memory of 2308 1436 cmd.exe net.exe PID 1436 wrote to memory of 2308 1436 cmd.exe net.exe PID 1436 wrote to memory of 3524 1436 cmd.exe net.exe PID 1436 wrote to memory of 3524 1436 cmd.exe net.exe PID 3524 wrote to memory of 1680 3524 net.exe net1.exe PID 3524 wrote to memory of 1680 3524 net.exe net1.exe PID 1436 wrote to memory of 3684 1436 cmd.exe net.exe PID 1436 wrote to memory of 3684 1436 cmd.exe net.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2740 -s 9442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe"C:\Users\Admin\AppData\Local\Temp\a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e715c4a683a02a7df508e92428f60cb1 mXXzQROENkiGuBKPD0WKJg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 8922⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2944 -ip 29441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 2740 -ip 27401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2588 -s 7762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 2588 -ip 25881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2392 -s 8162⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 2392 -ip 23921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1520 -s 8082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 1520 -ip 15201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2596 -s 7922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 2596 -ip 25961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1184 -s 8482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 1184 -ip 11841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/360-173-0x0000000000AB0000-0x0000000000ABD000-memory.dmpFilesize
52KB
-
memory/360-172-0x0000000000AC0000-0x0000000000AC7000-memory.dmpFilesize
28KB
-
memory/1208-166-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB
-
memory/1208-167-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/1300-180-0x0000018230100000-0x0000018230101000-memory.dmpFilesize
4KB
-
memory/2228-174-0x000001A06C350000-0x000001A06C351000-memory.dmpFilesize
4KB
-
memory/2240-175-0x00000208654D0000-0x00000208654D1000-memory.dmpFilesize
4KB
-
memory/2256-162-0x00000000012E0000-0x00000000012E9000-memory.dmpFilesize
36KB
-
memory/2256-163-0x00000000012D0000-0x00000000012DE000-memory.dmpFilesize
56KB
-
memory/2288-176-0x0000018D29EB0000-0x0000018D29EB1000-memory.dmpFilesize
4KB
-
memory/2432-170-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2432-171-0x0000000004FE0000-0x0000000004FEB000-memory.dmpFilesize
44KB
-
memory/2444-133-0x0000000000B70000-0x0000000000B86000-memory.dmpFilesize
88KB
-
memory/2444-134-0x0000000008210000-0x000000000821F000-memory.dmpFilesize
60KB
-
memory/2540-177-0x000001CEFECD0000-0x000001CEFECD1000-memory.dmpFilesize
4KB
-
memory/2836-178-0x0000028794530000-0x0000028794531000-memory.dmpFilesize
4KB
-
memory/2900-179-0x000001ACEEC50000-0x000001ACEEC51000-memory.dmpFilesize
4KB
-
memory/2944-158-0x0000000002F10000-0x0000000002F7B000-memory.dmpFilesize
428KB
-
memory/2944-157-0x0000000002F80000-0x0000000002FF5000-memory.dmpFilesize
468KB
-
memory/2964-159-0x0000000000FD0000-0x0000000000FDC000-memory.dmpFilesize
48KB
-
memory/3012-168-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/3012-169-0x0000000000190000-0x000000000019B000-memory.dmpFilesize
44KB
-
memory/3668-181-0x0000020FE0670000-0x0000020FE0671000-memory.dmpFilesize
4KB
-
memory/3832-165-0x0000000000430000-0x0000000000439000-memory.dmpFilesize
36KB
-
memory/3832-164-0x0000000000440000-0x0000000000445000-memory.dmpFilesize
20KB
-
memory/3888-182-0x0000020352120000-0x0000020352121000-memory.dmpFilesize
4KB
-
memory/3900-160-0x00000000003D0000-0x00000000003D7000-memory.dmpFilesize
28KB
-
memory/3900-161-0x00000000003C0000-0x00000000003CB000-memory.dmpFilesize
44KB
-
memory/3904-130-0x0000000000630000-0x000000000065B000-memory.dmpFilesize
172KB
-
memory/3904-132-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3904-131-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB