smokeloader | d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exeEED.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EED.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EED.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4040 tasklist.exe

pid	process
4040	tasklist.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXEipconfig.exeipconfig.exeNETSTAT.EXE

pid process

3916 NETSTAT.EXE
3304 ipconfig.exe
676 ipconfig.exe
1808 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3672 systeminfo.exe

pid	process
3916	NETSTAT.EXE
3304	ipconfig.exe
676	ipconfig.exe
1808	NETSTAT.EXE

pid	process
3672	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937887"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0558a071f13d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937887"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ecb2071f13d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937887"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2F1159A2-7F12-11EC-82D0-F2F412B024C7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "63542407"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "63542407"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000001a1bdc2b6f4dda6e286eef71b40c55cc413653d32ac4c2e1a8db31182299a79f000000000e8000000002000020000000c3d299f7e39946c60f776d6522aca786dc9898c94179181331f431a8a771110120000000d2faa9df9c41459ef4fb3f5f5e8f8ca426c244b982cb51d48b02dfa7eb40a9d940000000926a109f1116db62afbe3981a09c52c2bf3bab27fd0e0fdf1c51d496a2084a9d76daa7a62e6e75e6aec7dba2d28caa038dbd2ef3c8f4631b6388983b8d23109b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "79167642"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000008a674a400648236418434c87d23cca08815b565304ea31f9f65becac0579e288000000000e8000000002000020000000c1e6b584c1aad12e12e6e69b038166282162a988e563e4bdae3e44f4640461a220000000bae4b7930d7803d6ab5749a32d327742bf4d68a2f2d3d0359d823cdb629483d04000000001515fdcb138c6ceea03cdcba0e51fbe84accff8774f612def4e468e5b1382147dc2810277a381ade1866c6cff4f1b2037469f9f9c86b830d0acfa700cd0e93a	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe

pid	process
2936	d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe
2936	d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2424

pid	process
2424

Suspicious behavior: MapViewOfSection 62 IoCs

Processes:

d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exeEED.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2936	d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe
632	EED.exe
2424
2424
2424
2424
2424
2424
2916	explorer.exe
2916	explorer.exe
2424
2424
2544	explorer.exe
2544	explorer.exe
2424
2424
3112	explorer.exe
3112	explorer.exe
2424
2424
3052	explorer.exe
3052	explorer.exe
2424
2424
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
2424
2424
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe
680	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	848	WerFault.exe
Token: SeBackupPrivilege	848	WerFault.exe
Token: SeBackupPrivilege	848	WerFault.exe
Token: SeShutdownPrivilege	2424
Token: SeCreatePagefilePrivilege	2424
Token: SeIncreaseQuotaPrivilege	3652	WMIC.exe
Token: SeSecurityPrivilege	3652	WMIC.exe
Token: SeTakeOwnershipPrivilege	3652	WMIC.exe
Token: SeLoadDriverPrivilege	3652	WMIC.exe
Token: SeSystemProfilePrivilege	3652	WMIC.exe
Token: SeSystemtimePrivilege	3652	WMIC.exe
Token: SeProfSingleProcessPrivilege	3652	WMIC.exe
Token: SeIncBasePriorityPrivilege	3652	WMIC.exe
Token: SeCreatePagefilePrivilege	3652	WMIC.exe
Token: SeBackupPrivilege	3652	WMIC.exe
Token: SeRestorePrivilege	3652	WMIC.exe
Token: SeShutdownPrivilege	3652	WMIC.exe
Token: SeDebugPrivilege	3652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3652	WMIC.exe
Token: SeRemoteShutdownPrivilege	3652	WMIC.exe
Token: SeUndockPrivilege	3652	WMIC.exe
Token: SeManageVolumePrivilege	3652	WMIC.exe
Token: 33	3652	WMIC.exe
Token: 34	3652	WMIC.exe
Token: 35	3652	WMIC.exe
Token: 36	3652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3652	WMIC.exe
Token: SeSecurityPrivilege	3652	WMIC.exe
Token: SeTakeOwnershipPrivilege	3652	WMIC.exe
Token: SeLoadDriverPrivilege	3652	WMIC.exe
Token: SeSystemProfilePrivilege	3652	WMIC.exe
Token: SeSystemtimePrivilege	3652	WMIC.exe
Token: SeProfSingleProcessPrivilege	3652	WMIC.exe
Token: SeIncBasePriorityPrivilege	3652	WMIC.exe
Token: SeCreatePagefilePrivilege	3652	WMIC.exe
Token: SeBackupPrivilege	3652	WMIC.exe
Token: SeRestorePrivilege	3652	WMIC.exe
Token: SeShutdownPrivilege	3652	WMIC.exe
Token: SeDebugPrivilege	3652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3652	WMIC.exe
Token: SeRemoteShutdownPrivilege	3652	WMIC.exe
Token: SeUndockPrivilege	3652	WMIC.exe
Token: SeManageVolumePrivilege	3652	WMIC.exe
Token: 33	3652	WMIC.exe
Token: 34	3652	WMIC.exe
Token: 35	3652	WMIC.exe
Token: 36	3652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3952 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3952 iexplore.exe
3952 iexplore.exe
204 IEXPLORE.EXE
204 IEXPLORE.EXE

pid	process
3952	iexplore.exe

pid	process
3952	iexplore.exe
3952	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WerFault.execmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2424 wrote to memory of 632	2424		EED.exe
PID 2424 wrote to memory of 632	2424		EED.exe
PID 2424 wrote to memory of 632	2424		EED.exe
PID 32 wrote to memory of 3084	32	WerFault.exe	ibsfjwu
PID 32 wrote to memory of 3084	32	WerFault.exe	ibsfjwu
PID 2424 wrote to memory of 3544	2424		cmd.exe
PID 2424 wrote to memory of 3544	2424		cmd.exe
PID 3544 wrote to memory of 3652	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3652	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2892	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2892	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 4028	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 4028	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 4040	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 4040	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2764	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2764	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 984	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 984	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3764	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3764	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3164	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3164	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2116	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2116	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3396	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3396	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 848	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 848	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2640	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 2640	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3472	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3472	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3520	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 3520	3544	cmd.exe	WMIC.exe
PID 3544 wrote to memory of 676	3544	cmd.exe	ipconfig.exe
PID 3544 wrote to memory of 676	3544	cmd.exe	ipconfig.exe
PID 3544 wrote to memory of 3172	3544	cmd.exe	ROUTE.EXE
PID 3544 wrote to memory of 3172	3544	cmd.exe	ROUTE.EXE
PID 3544 wrote to memory of 3420	3544	cmd.exe	netsh.exe
PID 3544 wrote to memory of 3420	3544	cmd.exe	netsh.exe
PID 3544 wrote to memory of 3672	3544	cmd.exe	systeminfo.exe
PID 3544 wrote to memory of 3672	3544	cmd.exe	systeminfo.exe
PID 3544 wrote to memory of 4040	3544	cmd.exe	tasklist.exe
PID 3544 wrote to memory of 4040	3544	cmd.exe	tasklist.exe
PID 3544 wrote to memory of 2188	3544	cmd.exe	net.exe
PID 3544 wrote to memory of 2188	3544	cmd.exe	net.exe
PID 2188 wrote to memory of 532	2188	net.exe	net1.exe
PID 2188 wrote to memory of 532	2188	net.exe	net1.exe
PID 3544 wrote to memory of 644	3544	cmd.exe	net.exe
PID 3544 wrote to memory of 644	3544	cmd.exe	net.exe
PID 644 wrote to memory of 1436	644	net.exe	net1.exe
PID 644 wrote to memory of 1436	644	net.exe	net1.exe
PID 3544 wrote to memory of 1832	3544	cmd.exe	net.exe
PID 3544 wrote to memory of 1832	3544	cmd.exe	net.exe
PID 1832 wrote to memory of 3184	1832	net.exe	net1.exe
PID 1832 wrote to memory of 3184	1832	net.exe	net1.exe
PID 3544 wrote to memory of 2900	3544	cmd.exe	net.exe
PID 3544 wrote to memory of 2900	3544	cmd.exe	net.exe
PID 2900 wrote to memory of 2412	2900	net.exe	net1.exe
PID 2900 wrote to memory of 2412	2900	net.exe	net1.exe
PID 3544 wrote to memory of 2212	3544	cmd.exe	net.exe
PID 3544 wrote to memory of 2212	3544	cmd.exe	net.exe
PID 3544 wrote to memory of 3532	3544	cmd.exe	net.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 1016
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2512

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2284

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe
"C:\Users\Admin\AppData\Local\Temp\d377be4d6a905ccc1ecb50e53bafd15a3b2fe97e9b3ccae7a8af3041542d209b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2936

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 275da61b2f8f23b53a31f7f74fdd7d21 YgVdqpoXwUiqHaJ9UTdVaQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3496

C:\Users\Admin\AppData\Local\Temp\EED.exe
C:\Users\Admin\AppData\Local\Temp\EED.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:632

C:\Users\Admin\AppData\Roaming\ibsfjwu
C:\Users\Admin\AppData\Roaming\ibsfjwu
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 340
2⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3084 -ip 3084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:4028

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:4040

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2764

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:984

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3764

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3164

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3396

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:848

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2640

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3472

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3520

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:676

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3172

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3420

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3672

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:4040

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:532

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1436

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:3184

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2412

C:\Windows\system32\net.exe
net use
2⤵
PID:2212

C:\Windows\system32\net.exe
net group
2⤵
PID:3532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2128

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:2912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1276

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:864

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2136

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:3916

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:876

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:3304

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3884

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2380

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3952 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 880
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2204 -ip 2204
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2296

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2544

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1480

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 2712 -ip 2712
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3104 -s 828
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 396 -p 3104 -ip 3104
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2584 -s 804
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2584 -ip 2584
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 224 -s 492
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 216 -p 224 -ip 224
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2188 -s 784
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2188 -ip 2188
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

Peripheral Device Discovery

T1120

System Information Discovery

5

Process Discovery