smokeloader | 9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wgewejc9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgewejc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgewejc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wgewejc

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3492 tasklist.exe

pid	process
3492	tasklist.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

2092 ipconfig.exe
1388 NETSTAT.EXE
1440 NETSTAT.EXE
3412 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2932 systeminfo.exe

pid	process
2092	ipconfig.exe
1388	NETSTAT.EXE
1440	NETSTAT.EXE
3412	ipconfig.exe

pid	process
2932	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3064944644"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30938019"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3064944644"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30938019"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3111351016"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30938019"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E1A3AE99-7F96-11EC-82D0-CA03E3C25406} = "0"	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe

pid	process
1184	9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe
1184	9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2420

pid	process
2420

Suspicious behavior: MapViewOfSection 60 IoCs

Processes:

9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exewgewejcexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1184	9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe
3452	wgewejc
2420
2420
2420
2420
2420
2420
1284	explorer.exe
1284	explorer.exe
2420
2420
3792	explorer.exe
3792	explorer.exe
2420
2420
2932	explorer.exe
2932	explorer.exe
2420
2420
1672	explorer.exe
1672	explorer.exe
2420
2420
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
2420
2420
1952	explorer.exe
1952	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe
220	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	772	WMIC.exe
Token: SeSecurityPrivilege	772	WMIC.exe
Token: SeTakeOwnershipPrivilege	772	WMIC.exe
Token: SeLoadDriverPrivilege	772	WMIC.exe
Token: SeSystemProfilePrivilege	772	WMIC.exe
Token: SeSystemtimePrivilege	772	WMIC.exe
Token: SeProfSingleProcessPrivilege	772	WMIC.exe
Token: SeIncBasePriorityPrivilege	772	WMIC.exe
Token: SeCreatePagefilePrivilege	772	WMIC.exe
Token: SeBackupPrivilege	772	WMIC.exe
Token: SeRestorePrivilege	772	WMIC.exe
Token: SeShutdownPrivilege	772	WMIC.exe
Token: SeDebugPrivilege	772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	772	WMIC.exe
Token: SeRemoteShutdownPrivilege	772	WMIC.exe
Token: SeUndockPrivilege	772	WMIC.exe
Token: SeManageVolumePrivilege	772	WMIC.exe
Token: 33	772	WMIC.exe
Token: 34	772	WMIC.exe
Token: 35	772	WMIC.exe
Token: 36	772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	772	WMIC.exe
Token: SeSecurityPrivilege	772	WMIC.exe
Token: SeTakeOwnershipPrivilege	772	WMIC.exe
Token: SeLoadDriverPrivilege	772	WMIC.exe
Token: SeSystemProfilePrivilege	772	WMIC.exe
Token: SeSystemtimePrivilege	772	WMIC.exe
Token: SeProfSingleProcessPrivilege	772	WMIC.exe
Token: SeIncBasePriorityPrivilege	772	WMIC.exe
Token: SeCreatePagefilePrivilege	772	WMIC.exe
Token: SeBackupPrivilege	772	WMIC.exe
Token: SeRestorePrivilege	772	WMIC.exe
Token: SeShutdownPrivilege	772	WMIC.exe
Token: SeDebugPrivilege	772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	772	WMIC.exe
Token: SeRemoteShutdownPrivilege	772	WMIC.exe
Token: SeUndockPrivilege	772	WMIC.exe
Token: SeManageVolumePrivilege	772	WMIC.exe
Token: 33	772	WMIC.exe
Token: 34	772	WMIC.exe
Token: 35	772	WMIC.exe
Token: 36	772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe
Token: 33	2892	WMIC.exe
Token: 34	2892	WMIC.exe
Token: 35	2892	WMIC.exe
Token: 36	2892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3764 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3764 iexplore.exe
3764 iexplore.exe
3288 IEXPLORE.EXE
3288 IEXPLORE.EXE

pid	process
3764	iexplore.exe

pid	process
3764	iexplore.exe
3764	iexplore.exe
3288	IEXPLORE.EXE
3288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2420 wrote to memory of 2872	2420		cmd.exe
PID 2420 wrote to memory of 2872	2420		cmd.exe
PID 2872 wrote to memory of 772	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 772	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2104	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2104	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2892	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2892	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3744	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3744	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2576	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2576	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 4024	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 4024	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 1840	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 1840	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 456	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 456	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 740	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 740	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3304	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3304	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3648	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3648	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 716	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 716	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3752	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 3752	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2860	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2860	2872	cmd.exe	WMIC.exe
PID 2872 wrote to memory of 2092	2872	cmd.exe	ipconfig.exe
PID 2872 wrote to memory of 2092	2872	cmd.exe	ipconfig.exe
PID 2872 wrote to memory of 2440	2872	cmd.exe	ROUTE.EXE
PID 2872 wrote to memory of 2440	2872	cmd.exe	ROUTE.EXE
PID 2872 wrote to memory of 2288	2872	cmd.exe	netsh.exe
PID 2872 wrote to memory of 2288	2872	cmd.exe	netsh.exe
PID 2872 wrote to memory of 2932	2872	cmd.exe	systeminfo.exe
PID 2872 wrote to memory of 2932	2872	cmd.exe	systeminfo.exe
PID 2872 wrote to memory of 3492	2872	cmd.exe	tasklist.exe
PID 2872 wrote to memory of 3492	2872	cmd.exe	tasklist.exe
PID 2872 wrote to memory of 1496	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 1496	2872	cmd.exe	net.exe
PID 1496 wrote to memory of 1164	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1164	1496	net.exe	net1.exe
PID 2872 wrote to memory of 1536	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 1536	2872	cmd.exe	net.exe
PID 1536 wrote to memory of 1500	1536	net.exe	net1.exe
PID 1536 wrote to memory of 1500	1536	net.exe	net1.exe
PID 2872 wrote to memory of 2188	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 2188	2872	cmd.exe	net.exe
PID 2188 wrote to memory of 1108	2188	net.exe	net1.exe
PID 2188 wrote to memory of 1108	2188	net.exe	net1.exe
PID 2872 wrote to memory of 3160	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 3160	2872	cmd.exe	net.exe
PID 3160 wrote to memory of 2796	3160	net.exe	net1.exe
PID 3160 wrote to memory of 2796	3160	net.exe	net1.exe
PID 2872 wrote to memory of 3276	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 3276	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 1448	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 1448	2872	cmd.exe	net.exe
PID 1448 wrote to memory of 2244	1448	net.exe	net1.exe
PID 1448 wrote to memory of 2244	1448	net.exe	net1.exe
PID 2872 wrote to memory of 1900	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 1900	2872	cmd.exe	net.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2736 -s 980
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1280

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3556

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2532

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe
"C:\Users\Admin\AppData\Local\Temp\9e6e122e4798d36ef04fa932941a529214294b4707c4c4432b3952efc1297937.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1184

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3d6c6b0c41438c7434ed3fe7b29a53f0 bXnXmFxU+UWcRzSxoOIL+g.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:560

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
PID:2104

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:3744

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2576

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:4024

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1840

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:456

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:740

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3304

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3648

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:716

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3752

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:2860

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2092

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:2440

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:2288

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2932

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3492

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:1164

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1500

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:1108

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2796

C:\Windows\system32\net.exe
net use
2⤵
PID:3276

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2244

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3880

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1280

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2444

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:1440

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:3536

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:3412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3916

C:\Users\Admin\AppData\Roaming\wgewejc
C:\Users\Admin\AppData\Roaming\wgewejc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3452

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3244

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3764 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 876
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3972

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2808 -ip 2808
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2392

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3792

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2932

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:220

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2736 -ip 2736
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3320 -s 756
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3320 -ip 3320
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 784 -s 776
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 784 -ip 784
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

Peripheral Device Discovery

T1120

System Information Discovery

5

Process Discovery