smokeloader | 5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
27-01-2022 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe
Size

239KB
MD5

3485f107a03b76035e7bdc254119f11e
SHA1

c7eec65666ddfe3527e35a56340a3e630e027b76
SHA256

5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd
SHA512

8a72b13adb28f78322137214d40ea5da98b85b338cdf76cc2afc615381c0b77ccc25a093f7ab975c6336ab91014158dea37b5617b2c3558004fa609ac22632ed

Score

10^/10

smokeloader backdoor evasion persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1352 created 464	1352	WerFault.exe	explorer.exe
PID 1260 created 2692	1260	WerFault.exe	DllHost.exe
PID 3908 created 852	3908	WerFault.exe	DllHost.exe
PID 1492 created 3316	1492	WerFault.exe	DllHost.exe
PID 2136 created 3972	2136	WerFault.exe	DllHost.exe
PID 1352 created 2920	1352	WerFault.exe	DllHost.exe
PID 3284 created 3908	3284	WerFault.exe	DllHost.exe
PID 2948 created 1156	2948	WerFault.exe	DllHost.exe
PID 1936 created 3108	1936	WerFault.exe	DllHost.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Windows directory 2 IoCs

Processes:

TiWorker.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2948	464	WerFault.exe	explorer.exe
3416	2692	WerFault.exe	DllHost.exe
2480	852	WerFault.exe	DllHost.exe
3204	3316	WerFault.exe	DllHost.exe
2420	3972	WerFault.exe	DllHost.exe
544	2920	WerFault.exe	DllHost.exe
676	3908	WerFault.exe	DllHost.exe
1104	1156	WerFault.exe	DllHost.exe
1264	3108	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1772 tasklist.exe

pid	process
1772	tasklist.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

820 ipconfig.exe
2960 NETSTAT.EXE
3832 NETSTAT.EXE
432 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3420 systeminfo.exe

pid	process
820	ipconfig.exe
2960	NETSTAT.EXE
3832	NETSTAT.EXE
432	ipconfig.exe

pid	process
3420	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07f3c006113d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03ab1006113d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4264245494"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937952"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000a44e424af7e4866eab29202e18c51e93fe3c4f7f75e703c09a529677ce8cbb06000000000e800000000200002000000079ebd897598827f0fb48a7242859073b71e4ac7799a07736abaface2e4a22ab7200000003fb858743a18b126f8a10f0dab52dd88df140a809d5085a42d03d176abd40e00400000000326d768f63f3bd12b77578646fddf20a8763593be1899adf9d9f61bad65a012f8ffb2ac43675dc181b0b78f5111fc0da2ebeced55606427a58e2ec052f4a60b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4264245494"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000001f432bd15356d3bafd71579e902252c486c55e01484b944e052ce050546712d0000000000e80000000020000200000008f71822b477e65bbebc5aedf476a9a8cb7c68b00a23dd1a567338413f4918bd920000000bede025b730626a2626895d5f304b56654a5f14435e680b100479a5f2909cae9400000007ecb6e337d298e568ad63492f8f8872604aae5418b344fc75b64b3828cdb0672ea6695d7fe823d6a3e9b40a27beb4014b41800e5ae9f51c3ad10d616d9a8dedd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{28EFE1B7-7F54-11EC-82D0-CA1788A21B43} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350040977"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937952"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937952"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937952"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4262683265"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4262683265"	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe

pid	process
760	5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe
760	5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2384

pid	process
2384

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
760	5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe
2384
2384
2384
2384
2384
2384
220	explorer.exe
220	explorer.exe
2384
2384
3868	explorer.exe
3868	explorer.exe
2384
2384
1944	explorer.exe
1944	explorer.exe
2384
2384
3628	explorer.exe
3628	explorer.exe
2384
2384
112	explorer.exe
112	explorer.exe
112	explorer.exe
112	explorer.exe
2384
2384
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe
Token: SeSecurityPrivilege	2820	WMIC.exe
Token: SeTakeOwnershipPrivilege	2820	WMIC.exe
Token: SeLoadDriverPrivilege	2820	WMIC.exe
Token: SeSystemProfilePrivilege	2820	WMIC.exe
Token: SeSystemtimePrivilege	2820	WMIC.exe
Token: SeProfSingleProcessPrivilege	2820	WMIC.exe
Token: SeIncBasePriorityPrivilege	2820	WMIC.exe
Token: SeCreatePagefilePrivilege	2820	WMIC.exe
Token: SeBackupPrivilege	2820	WMIC.exe
Token: SeRestorePrivilege	2820	WMIC.exe
Token: SeShutdownPrivilege	2820	WMIC.exe
Token: SeDebugPrivilege	2820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2820	WMIC.exe
Token: SeRemoteShutdownPrivilege	2820	WMIC.exe
Token: SeUndockPrivilege	2820	WMIC.exe
Token: SeManageVolumePrivilege	2820	WMIC.exe
Token: 33	2820	WMIC.exe
Token: 34	2820	WMIC.exe
Token: 35	2820	WMIC.exe
Token: 36	2820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1444 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1444 iexplore.exe
1444 iexplore.exe
3364 IEXPLORE.EXE
3364 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3528 RuntimeBroker.exe

pid	process
1444	iexplore.exe

pid	process
1444	iexplore.exe
1444	iexplore.exe
3364	IEXPLORE.EXE
3364	IEXPLORE.EXE

pid	process
3528	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2384 wrote to memory of 816	2384		cmd.exe
PID 2384 wrote to memory of 816	2384		cmd.exe
PID 816 wrote to memory of 712	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 712	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2820	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2820	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1340	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1340	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3204	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3204	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 4028	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 4028	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1432	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1432	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1588	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1588	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3708	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3708	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1140	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1140	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 4024	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 4024	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2176	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2176	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3560	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3560	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3772	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3772	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2988	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2988	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 820	816	cmd.exe	ipconfig.exe
PID 816 wrote to memory of 820	816	cmd.exe	ipconfig.exe
PID 816 wrote to memory of 3584	816	cmd.exe	ROUTE.EXE
PID 816 wrote to memory of 3584	816	cmd.exe	ROUTE.EXE
PID 816 wrote to memory of 2448	816	cmd.exe	netsh.exe
PID 816 wrote to memory of 2448	816	cmd.exe	netsh.exe
PID 816 wrote to memory of 3420	816	cmd.exe	systeminfo.exe
PID 816 wrote to memory of 3420	816	cmd.exe	systeminfo.exe
PID 816 wrote to memory of 1772	816	cmd.exe	tasklist.exe
PID 816 wrote to memory of 1772	816	cmd.exe	tasklist.exe
PID 816 wrote to memory of 3120	816	cmd.exe	net.exe
PID 816 wrote to memory of 3120	816	cmd.exe	net.exe
PID 3120 wrote to memory of 3760	3120	net.exe	net1.exe
PID 3120 wrote to memory of 3760	3120	net.exe	net1.exe
PID 816 wrote to memory of 2948	816	cmd.exe	net.exe
PID 816 wrote to memory of 2948	816	cmd.exe	net.exe
PID 2948 wrote to memory of 652	2948	net.exe	net1.exe
PID 2948 wrote to memory of 652	2948	net.exe	net1.exe
PID 816 wrote to memory of 1964	816	cmd.exe	net.exe
PID 816 wrote to memory of 1964	816	cmd.exe	net.exe
PID 1964 wrote to memory of 712	1964	net.exe	net1.exe
PID 1964 wrote to memory of 712	1964	net.exe	net1.exe
PID 816 wrote to memory of 1432	816	cmd.exe	net.exe
PID 816 wrote to memory of 1432	816	cmd.exe	net.exe
PID 1432 wrote to memory of 3900	1432	net.exe	net1.exe
PID 1432 wrote to memory of 3900	1432	net.exe	net1.exe
PID 816 wrote to memory of 4060	816	cmd.exe	net.exe
PID 816 wrote to memory of 4060	816	cmd.exe	net.exe
PID 816 wrote to memory of 2608	816	cmd.exe	net.exe
PID 816 wrote to memory of 2608	816	cmd.exe	net.exe
PID 2608 wrote to memory of 3564	2608	net.exe	net1.exe
PID 2608 wrote to memory of 3564	2608	net.exe	net1.exe
PID 816 wrote to memory of 1016	816	cmd.exe	net.exe
PID 816 wrote to memory of 1016	816	cmd.exe	net.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2692 -s 984
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2496

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2188

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe
"C:\Users\Admin\AppData\Local\Temp\5980c4aae31565e95b76b3150f92344edcdd8b84c5c7059afb804e0df14532bd.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:760

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 36b24388b3cdd45bb713323b3c45e913 pENXZnoQfkS8lHBIlpwrEQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3292

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:1340
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:3204
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:4028
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:1432
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:1588
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:3708
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:1140
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:4024
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:2176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:3560
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:3772
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:2988
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:820
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:3584
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  PID:2448
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3420
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:1772
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:3760
- C:\Windows\system32\net.exe
  net share
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:652
- C:\Windows\system32\net.exe
  net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:712
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:3900
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:4060
- C:\Windows\system32\net.exe
  net group
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:3564
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:2940
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:2716
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:2780
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Gathers network information
  PID:3832
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:1988
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2564

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2592

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1444
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:2832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 812
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 464 -ip 464
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1352

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3120

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:220

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2692 -ip 2692
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1260

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1068

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:852
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 852 -s 776
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 852 -ip 852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3316
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3316 -s 840
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 3316 -ip 3316
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3972 -s 804
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3972 -ip 3972
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2920
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2920 -s 732
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2920 -ip 2920
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1352

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3908
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3908 -s 736
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3908 -ip 3908
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3284

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1156
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1156 -s 816
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 1156 -ip 1156
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3108 -s 840
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 3108 -ip 3108
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5
6e68ff4f0c3d50ee92e1aff9907d2432

SHA1
3940de942700c37493b20c964a7572feab423673

SHA256
a9cd9ecd8b7f675c79bb7ccd37c3a973a2d333788a42252db00789d759f72beb

SHA512
53a5c5046e4d86633564af49f061d0c651a32d9858d040e105f11b95547d4206039e63f56ecc3c2eb31ca499ad6fde43223f4e0c6067ed21a13d6afccb47c41b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5
7a264f74cd533393f97b414e961a0d3b

SHA1
763e8e2ba3800bcf7580690d47e81335f05c3884

SHA256
cda2d60601e306bb2d13e96bc0c545e36aa82f5bb58c5e37f8de432dcc09812e

SHA512
b0fc31f56596c744fafea0109c74e4eea2f625f05ee565f4b972e3d3b7a276b1a66c857c2bab07ef83a14ba80d6d6c2f3d394228d4653c860a1be4ba8307b069

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-175-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

Filesize
24KB

Download
memory/112-176-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/220-167-0x0000000003170000-0x0000000003177000-memory.dmp

Filesize
28KB

Download
memory/220-168-0x0000000003160000-0x000000000316B000-memory.dmp

Filesize
44KB

Download
memory/464-164-0x0000000000B20000-0x0000000000B8B000-memory.dmp

Filesize
428KB

Download
memory/464-163-0x0000000000B90000-0x0000000000C05000-memory.dmp

Filesize
468KB

Download
memory/760-130-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/760-131-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/760-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-655-0x0000016B5F720000-0x0000016B5F728000-memory.dmp

Filesize
32KB

Download
memory/852-651-0x0000016B5FAA0000-0x0000016B5FAA8000-memory.dmp

Filesize
32KB

Download
memory/852-650-0x0000016B5FA40000-0x0000016B5FA48000-memory.dmp

Filesize
32KB

Download
memory/852-652-0x0000016B5FA90000-0x0000016B5FA91000-memory.dmp

Filesize
4KB

Download
memory/852-653-0x0000016B5F730000-0x0000016B5F738000-memory.dmp

Filesize
32KB

Download
memory/1068-444-0x000001D9CE770000-0x000001D9CE771000-memory.dmp

Filesize
4KB

Download
memory/1564-177-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/1564-178-0x0000000004720000-0x000000000472B000-memory.dmp

Filesize
44KB

Download
memory/1944-172-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download
memory/1944-171-0x0000000000B60000-0x0000000000B65000-memory.dmp

Filesize
20KB

Download
memory/2128-187-0x000001A035F90000-0x000001A035F91000-memory.dmp

Filesize
4KB

Download
memory/2168-181-0x0000028A36220000-0x0000028A36221000-memory.dmp

Filesize
4KB

Download
memory/2188-182-0x00000246E7180000-0x00000246E7181000-memory.dmp

Filesize
4KB

Download
memory/2240-183-0x000001CEA6AF0000-0x000001CEA6AF1000-memory.dmp

Filesize
4KB

Download
memory/2384-133-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2384-134-0x0000000007190000-0x000000000719F000-memory.dmp

Filesize
60KB

Download
memory/2496-184-0x0000027859B50000-0x0000027859B51000-memory.dmp

Filesize
4KB

Download
memory/2788-185-0x0000017EA5DC0000-0x0000017EA5DC1000-memory.dmp

Filesize
4KB

Download
memory/2932-186-0x0000025B569B0000-0x0000025B569B1000-memory.dmp

Filesize
4KB

Download
memory/3120-165-0x0000000000D40000-0x0000000000D47000-memory.dmp

Filesize
28KB

Download
memory/3120-166-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/3416-394-0x0000027401FD0000-0x0000027401FD1000-memory.dmp

Filesize
4KB

Download
memory/3528-189-0x000001B236CE0000-0x000001B236CE1000-memory.dmp

Filesize
4KB

Download
memory/3528-230-0x000001B236CE0000-0x000001B236CE1000-memory.dmp

Filesize
4KB

Download
memory/3612-188-0x0000026D1D9A0000-0x0000026D1D9A1000-memory.dmp

Filesize
4KB

Download
memory/3628-174-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download
memory/3628-173-0x0000000001030000-0x0000000001036000-memory.dmp

Filesize
24KB

Download
memory/3716-180-0x00000000010C0000-0x00000000010CD000-memory.dmp

Filesize
52KB

Download
memory/3716-179-0x00000000010D0000-0x00000000010D7000-memory.dmp

Filesize
28KB

Download
memory/3868-170-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/3868-169-0x0000000000900000-0x0000000000909000-memory.dmp

Filesize
36KB

Download