smokeloader | 89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
27-01-2022 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
Size

187KB
MD5

d8f237129cb99cd73238d67b150f893f
SHA1

3dc170727eec382c42d0651f4af2362879a82de7
SHA256

89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9
SHA512

76cae32216d433e3c0102aa62bec83a8d176c260ec02e059152b69e08a90b927617259ad28e997a12a982025d669b9be4983cacff8025ec2223ca311eef0c509

Score

10^/10

smokeloader backdoor evasion persistence suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 644 created 3360	644	WerFault.exe	explorer.exe
PID 3012 created 2768	3012	WerFault.exe	DllHost.exe
PID 916 created 3252	916	WerFault.exe	DllHost.exe
PID 1952 created 1352	1952	WerFault.exe	DllHost.exe
PID 1848 created 700	1848	WerFault.exe	DllHost.exe
PID 4000 created 544	4000	WerFault.exe	DllHost.exe
PID 1888 created 3960	1888	WerFault.exe	DllHost.exe

suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Windows directory 2 IoCs

Processes:

TiWorker.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
208	3360	WerFault.exe	explorer.exe
2972	2768	WerFault.exe	DllHost.exe
3432	3252	WerFault.exe	DllHost.exe
3952	1352	WerFault.exe	DllHost.exe
844	700	WerFault.exe	DllHost.exe
3912	544	WerFault.exe	DllHost.exe
3216	3960	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3848 tasklist.exe

pid	process
3848	tasklist.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

1304 ipconfig.exe
2312 NETSTAT.EXE
3224 NETSTAT.EXE
3452 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1788 systeminfo.exe

pid	process
1304	ipconfig.exe
2312	NETSTAT.EXE
3224	NETSTAT.EXE
3452	ipconfig.exe

pid	process
1788	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1356250564"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350046273"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000046caf3177dbc8311c74cc6b790f8d648b3cf6cb0d9f76afc2d7f51e98cca159c000000000e80000000020000200000004d1e5c2ec37c82d2464079decfdb15bd717c57ba0e8a43bc988362e0999f863020000000f1ac19c233515c94645934b9a3ce9cba3269ab4afef3c512d3202245ce87f80d40000000154109d9c8e0c51edf71e3fa12cf88f1b64bf322f665e5497999590329677be4d5bb3578d1f7cab2f7cf4eef2d6aadcadf7ada266150485ecd154af2101f75c1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a668536d13d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937965"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000000c7cb3015fd06ef0ab0f4e989d6d031e03f285fbc04da5043612682245013ff000000000e8000000002000020000000ea635dbb5d3d9d4e7bdd6ea58651783e7ccc46e86d7450aac9a6b559f462f1cd20000000fcccba26d8dec17cffdbd78c24ebe2b241cd22494f843a80b0ceae9a5764a48b40000000f90042902ba5fbdb6ab887c87dbd536ec9d7f406a3bb63ee9d4831288b336d5e6f8790df9fbb1e7a69deb624e782e1c86111b0892e9d2760170e418fecc61191	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1353906379"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937965"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1353906379"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937965"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937965"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101e4c536d13d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1356250564"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B9DC60E-7F60-11EC-82D0-F6A2DCD19F6B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe

pid	process
3600	89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
3600	89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476
2476

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2476

pid	process
2476

Suspicious behavior: MapViewOfSection 63 IoCs

Processes:

89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3600	89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
2476
2476
2476
2476
2476
2476
3332	explorer.exe
3332	explorer.exe
2476
2476
1248	explorer.exe
1248	explorer.exe
2476
2476
3540	explorer.exe
3540	explorer.exe
2476
2476
3328	explorer.exe
3328	explorer.exe
2476
2476
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
2476
2476
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe
3668	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3808	WMIC.exe
Token: SeSecurityPrivilege	3808	WMIC.exe
Token: SeTakeOwnershipPrivilege	3808	WMIC.exe
Token: SeLoadDriverPrivilege	3808	WMIC.exe
Token: SeSystemProfilePrivilege	3808	WMIC.exe
Token: SeSystemtimePrivilege	3808	WMIC.exe
Token: SeProfSingleProcessPrivilege	3808	WMIC.exe
Token: SeIncBasePriorityPrivilege	3808	WMIC.exe
Token: SeCreatePagefilePrivilege	3808	WMIC.exe
Token: SeBackupPrivilege	3808	WMIC.exe
Token: SeRestorePrivilege	3808	WMIC.exe
Token: SeShutdownPrivilege	3808	WMIC.exe
Token: SeDebugPrivilege	3808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3808	WMIC.exe
Token: SeRemoteShutdownPrivilege	3808	WMIC.exe
Token: SeUndockPrivilege	3808	WMIC.exe
Token: SeManageVolumePrivilege	3808	WMIC.exe
Token: 33	3808	WMIC.exe
Token: 34	3808	WMIC.exe
Token: 35	3808	WMIC.exe
Token: 36	3808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3808	WMIC.exe
Token: SeSecurityPrivilege	3808	WMIC.exe
Token: SeTakeOwnershipPrivilege	3808	WMIC.exe
Token: SeLoadDriverPrivilege	3808	WMIC.exe
Token: SeSystemProfilePrivilege	3808	WMIC.exe
Token: SeSystemtimePrivilege	3808	WMIC.exe
Token: SeProfSingleProcessPrivilege	3808	WMIC.exe
Token: SeIncBasePriorityPrivilege	3808	WMIC.exe
Token: SeCreatePagefilePrivilege	3808	WMIC.exe
Token: SeBackupPrivilege	3808	WMIC.exe
Token: SeRestorePrivilege	3808	WMIC.exe
Token: SeShutdownPrivilege	3808	WMIC.exe
Token: SeDebugPrivilege	3808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3808	WMIC.exe
Token: SeRemoteShutdownPrivilege	3808	WMIC.exe
Token: SeUndockPrivilege	3808	WMIC.exe
Token: SeManageVolumePrivilege	3808	WMIC.exe
Token: 33	3808	WMIC.exe
Token: 34	3808	WMIC.exe
Token: 35	3808	WMIC.exe
Token: 36	3808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe
Token: SeSecurityPrivilege	3160	WMIC.exe
Token: SeTakeOwnershipPrivilege	3160	WMIC.exe
Token: SeLoadDriverPrivilege	3160	WMIC.exe
Token: SeSystemProfilePrivilege	3160	WMIC.exe
Token: SeSystemtimePrivilege	3160	WMIC.exe
Token: SeProfSingleProcessPrivilege	3160	WMIC.exe
Token: SeIncBasePriorityPrivilege	3160	WMIC.exe
Token: SeCreatePagefilePrivilege	3160	WMIC.exe
Token: SeBackupPrivilege	3160	WMIC.exe
Token: SeRestorePrivilege	3160	WMIC.exe
Token: SeShutdownPrivilege	3160	WMIC.exe
Token: SeDebugPrivilege	3160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3160	WMIC.exe
Token: SeRemoteShutdownPrivilege	3160	WMIC.exe
Token: SeUndockPrivilege	3160	WMIC.exe
Token: SeManageVolumePrivilege	3160	WMIC.exe
Token: 33	3160	WMIC.exe
Token: 34	3160	WMIC.exe
Token: 35	3160	WMIC.exe
Token: 36	3160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3312 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3312 iexplore.exe
3312 iexplore.exe
2236 IEXPLORE.EXE
2236 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3380 RuntimeBroker.exe

pid	process
3312	iexplore.exe

pid	process
3312	iexplore.exe
3312	iexplore.exe
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE

pid	process
3380	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2476 wrote to memory of 1372	2476		cmd.exe
PID 2476 wrote to memory of 1372	2476		cmd.exe
PID 1372 wrote to memory of 3808	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3808	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3160	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3160	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3956	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3956	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3848	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3848	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1852	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1852	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1380	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1380	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1504	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1504	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3304	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3304	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1568	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1568	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3152	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3152	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3904	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3904	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3372	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3372	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3200	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 3200	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1828	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1828	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1304	1372	cmd.exe	ipconfig.exe
PID 1372 wrote to memory of 1304	1372	cmd.exe	ipconfig.exe
PID 1372 wrote to memory of 2916	1372	cmd.exe	ROUTE.EXE
PID 1372 wrote to memory of 2916	1372	cmd.exe	ROUTE.EXE
PID 1372 wrote to memory of 3912	1372	cmd.exe	netsh.exe
PID 1372 wrote to memory of 3912	1372	cmd.exe	netsh.exe
PID 1372 wrote to memory of 1788	1372	cmd.exe	systeminfo.exe
PID 1372 wrote to memory of 1788	1372	cmd.exe	systeminfo.exe
PID 1372 wrote to memory of 3848	1372	cmd.exe	tasklist.exe
PID 1372 wrote to memory of 3848	1372	cmd.exe	tasklist.exe
PID 1372 wrote to memory of 1008	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 1008	1372	cmd.exe	net.exe
PID 1008 wrote to memory of 3936	1008	net.exe	net1.exe
PID 1008 wrote to memory of 3936	1008	net.exe	net1.exe
PID 1372 wrote to memory of 3836	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 3836	1372	cmd.exe	net.exe
PID 3836 wrote to memory of 1548	3836	net.exe	net1.exe
PID 3836 wrote to memory of 1548	3836	net.exe	net1.exe
PID 1372 wrote to memory of 3876	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 3876	1372	cmd.exe	net.exe
PID 3876 wrote to memory of 3908	3876	net.exe	net1.exe
PID 3876 wrote to memory of 3908	3876	net.exe	net1.exe
PID 1372 wrote to memory of 2352	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 2352	1372	cmd.exe	net.exe
PID 2352 wrote to memory of 1860	2352	net.exe	net1.exe
PID 2352 wrote to memory of 1860	2352	net.exe	net1.exe
PID 1372 wrote to memory of 1512	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 1512	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 3596	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 3596	1372	cmd.exe	net.exe
PID 3596 wrote to memory of 3756	3596	net.exe	net1.exe
PID 3596 wrote to memory of 3756	3596	net.exe	net1.exe
PID 1372 wrote to memory of 700	1372	cmd.exe	net.exe
PID 1372 wrote to memory of 700	1372	cmd.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2268

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2768 -s 1000
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
"C:\Users\Admin\AppData\Local\Temp\89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3600

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 5c022a1c2ac19736fe47f6e6e3984ab7 xorpv0a6MUWbGFSXMdI1yQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1492

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:3956
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:3848
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:1852
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:1380
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:1504
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:3304
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:1568
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:3152
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:3904
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:3372
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:3200
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:1828
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:1304
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:2916
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  PID:3912
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1788
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:3848
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:3936
- C:\Windows\system32\net.exe
  net share
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:1548
- C:\Windows\system32\net.exe
  net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:3908
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:1860
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:1512
- C:\Windows\system32\net.exe
  net group
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:3756
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:3184
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:2672
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:636
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Gathers network information
  PID:3224
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:428
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:3452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1724

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1924

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3312
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3312 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 876
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3360 -ip 3360
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:644

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3332

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 2768 -ip 2768
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3252 -s 588
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 3252 -ip 3252
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1352 -s 848
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1352 -ip 1352
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:700
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 700 -s 816
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 700 -ip 700
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 544 -s 636
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 544 -ip 544
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3960 -s 840
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3960 -ip 3960
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5
4c270d024453cd40e1ac151e91d0ad5e

SHA1
ab23ec87f9863d80617aa8a2f27638050315e4b3

SHA256
e8b31dfadf74c81ed41f74e9bf3a4ac0b8399dd7ecabcb6340678916a0f0599b

SHA512
6ba305fe8a02b7a09fe718289039219717b7573fc2706eca45f9f2cec33fd031d0ebddb9fa0f484911d01ebb5198ed68239a660d37d4e0f8f900ef6fb42a6e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5
0cc9eb8ccbf7715bad26c80b64761af4

SHA1
537e2ef92704582f0aadb637a6889286b05c4250

SHA256
7ec4efb1990ded09d7fc776b48a345081a59550c9184acd8f89b97bf159bd6b2

SHA512
e872432c12ee249a6145dcc7bea5a3ba324bdb398dba6d7de510c620949cf864ed0c1b669a58632c74abf53e7edeee11a7e2967b53ece67befb6d332febfe74c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5
bf896def9f030ba892030ef1153c05df

SHA1
42eb21ad6484871b52cdd372296be9ad4e386cb0

SHA256
728fdbbf7720ee5c09d916f7f8f241c1c91cb5a0e4c610c61801e3bb58e32e0b

SHA512
d9c761afe34e36a8f994c4dd55938e14debb12542fa75703cc8afecf70bac302ffb37336ac7fcd6e8a1469b38bf3b783f8f3a9511b461a57fe0645ce9cd238e9

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/972-140-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/1248-143-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/1248-144-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/1920-150-0x0000000003120000-0x000000000312B000-memory.dmp

Filesize
44KB

Download
memory/1920-149-0x0000000003130000-0x0000000003136000-memory.dmp

Filesize
24KB

Download
memory/2268-155-0x000002312BB80000-0x000002312BB81000-memory.dmp

Filesize
4KB

Download
memory/2288-156-0x0000025822EB0000-0x0000025822EB1000-memory.dmp

Filesize
4KB

Download
memory/2324-157-0x000001D519F80000-0x000001D519F81000-memory.dmp

Filesize
4KB

Download
memory/2476-134-0x0000000002DE0000-0x0000000002DEF000-memory.dmp

Filesize
60KB

Download
memory/2476-133-0x0000000000F30000-0x0000000000F46000-memory.dmp

Filesize
88KB

Download
memory/2572-158-0x0000022E61CE0000-0x0000022E61CE1000-memory.dmp

Filesize
4KB

Download
memory/2820-161-0x000001F2EBDD0000-0x000001F2EBDD1000-memory.dmp

Filesize
4KB

Download
memory/2864-159-0x000002482A750000-0x000002482A751000-memory.dmp

Filesize
4KB

Download
memory/2952-160-0x0000022319860000-0x0000022319861000-memory.dmp

Filesize
4KB

Download
memory/3216-451-0x000002ABC41B0000-0x000002ABC47B1000-memory.dmp

Filesize
6.0MB

Download
memory/3216-459-0x000002ABC2410000-0x000002ABC3E62000-memory.dmp

Filesize
26.3MB

Download
memory/3252-166-0x000001C7A1C90000-0x000001C7A1C98000-memory.dmp

Filesize
32KB

Download
memory/3252-163-0x000001C7A0190000-0x000001C7A01A0000-memory.dmp

Filesize
64KB

Download
memory/3252-167-0x000001C7A1C80000-0x000001C7A1C81000-memory.dmp

Filesize
4KB

Download
memory/3252-165-0x000001C7A19A0000-0x000001C7A19A8000-memory.dmp

Filesize
32KB

Download
memory/3252-164-0x000001C7A01F0000-0x000001C7A0200000-memory.dmp

Filesize
64KB

Download
memory/3328-147-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download
memory/3328-148-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/3332-142-0x0000000003120000-0x000000000312B000-memory.dmp

Filesize
44KB

Download
memory/3332-141-0x0000000003130000-0x0000000003137000-memory.dmp

Filesize
28KB

Download
memory/3360-139-0x0000000003120000-0x000000000318B000-memory.dmp

Filesize
428KB

Download
memory/3360-138-0x0000000003400000-0x0000000003475000-memory.dmp

Filesize
468KB

Download
memory/3372-152-0x0000000004600000-0x000000000460B000-memory.dmp

Filesize
44KB

Download
memory/3372-151-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/3380-162-0x00000255154D0000-0x00000255154D1000-memory.dmp

Filesize
4KB

Download
memory/3380-169-0x00000255154D0000-0x00000255154D1000-memory.dmp

Filesize
4KB

Download
memory/3540-146-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/3540-145-0x0000000000150000-0x0000000000155000-memory.dmp

Filesize
20KB

Download
memory/3600-130-0x0000000000650000-0x0000000000678000-memory.dmp

Filesize
160KB

Download
memory/3600-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-131-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3668-154-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/3668-153-0x00000000004E0000-0x00000000004E7000-memory.dmp

Filesize
28KB

Download