Analysis
-
max time kernel
156s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
27-01-2022 21:16
Static task
static1
Behavioral task
behavioral1
Sample
711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
Resource
win10v2004-en-20220112
General
-
Target
711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
-
Size
188KB
-
MD5
5e9f68bb219f2c8b129eaa9bf3af7f20
-
SHA1
7c1fd27ade6793e787e42c1b5dba78c002948b05
-
SHA256
711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124
-
SHA512
09305a5c392e7782c9787b95aa40ade538232cabf5dfde27fd4fd7c758aa3446727570cbd617f042c69ffecf6e8be39772b61cbc111e68765e55c32a6474c240
Malware Config
Extracted
smokeloader
2020
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXEpid process 1188 ipconfig.exe 3328 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exepid process 3948 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe 3948 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 2384 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2384 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exepid process 3948 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: 36 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: 36 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 4004 WMIC.exe Token: SeSecurityPrivilege 4004 WMIC.exe Token: SeTakeOwnershipPrivilege 4004 WMIC.exe Token: SeLoadDriverPrivilege 4004 WMIC.exe Token: SeSystemProfilePrivilege 4004 WMIC.exe Token: SeSystemtimePrivilege 4004 WMIC.exe Token: SeProfSingleProcessPrivilege 4004 WMIC.exe Token: SeIncBasePriorityPrivilege 4004 WMIC.exe Token: SeCreatePagefilePrivilege 4004 WMIC.exe Token: SeBackupPrivilege 4004 WMIC.exe Token: SeRestorePrivilege 4004 WMIC.exe Token: SeShutdownPrivilege 4004 WMIC.exe Token: SeDebugPrivilege 4004 WMIC.exe Token: SeSystemEnvironmentPrivilege 4004 WMIC.exe Token: SeRemoteShutdownPrivilege 4004 WMIC.exe Token: SeUndockPrivilege 4004 WMIC.exe Token: SeManageVolumePrivilege 4004 WMIC.exe Token: 33 4004 WMIC.exe Token: 34 4004 WMIC.exe Token: 35 4004 WMIC.exe Token: 36 4004 WMIC.exe Token: SeIncreaseQuotaPrivilege 4004 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2384 wrote to memory of 976 2384 cmd.exe PID 2384 wrote to memory of 976 2384 cmd.exe PID 976 wrote to memory of 2964 976 cmd.exe WMIC.exe PID 976 wrote to memory of 2964 976 cmd.exe WMIC.exe PID 976 wrote to memory of 4004 976 cmd.exe WMIC.exe PID 976 wrote to memory of 4004 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3756 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3756 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3104 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3104 976 cmd.exe WMIC.exe PID 976 wrote to memory of 2456 976 cmd.exe WMIC.exe PID 976 wrote to memory of 2456 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1220 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1220 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1124 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1124 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1716 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1716 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3312 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3312 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3872 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3872 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3268 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3268 976 cmd.exe WMIC.exe PID 976 wrote to memory of 584 976 cmd.exe WMIC.exe PID 976 wrote to memory of 584 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3792 976 cmd.exe WMIC.exe PID 976 wrote to memory of 3792 976 cmd.exe WMIC.exe PID 976 wrote to memory of 2244 976 cmd.exe WMIC.exe PID 976 wrote to memory of 2244 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1188 976 cmd.exe ipconfig.exe PID 976 wrote to memory of 1188 976 cmd.exe ipconfig.exe PID 976 wrote to memory of 3548 976 cmd.exe ROUTE.EXE PID 976 wrote to memory of 3548 976 cmd.exe ROUTE.EXE PID 976 wrote to memory of 3224 976 cmd.exe netsh.exe PID 976 wrote to memory of 3224 976 cmd.exe netsh.exe PID 976 wrote to memory of 1584 976 cmd.exe systeminfo.exe PID 976 wrote to memory of 1584 976 cmd.exe systeminfo.exe PID 976 wrote to memory of 2984 976 cmd.exe tasklist.exe PID 976 wrote to memory of 2984 976 cmd.exe tasklist.exe PID 976 wrote to memory of 920 976 cmd.exe net.exe PID 976 wrote to memory of 920 976 cmd.exe net.exe PID 920 wrote to memory of 3188 920 net.exe net1.exe PID 920 wrote to memory of 3188 920 net.exe net1.exe PID 976 wrote to memory of 3972 976 cmd.exe net.exe PID 976 wrote to memory of 3972 976 cmd.exe net.exe PID 3972 wrote to memory of 3804 3972 net.exe net1.exe PID 3972 wrote to memory of 3804 3972 net.exe net1.exe PID 976 wrote to memory of 2864 976 cmd.exe net.exe PID 976 wrote to memory of 2864 976 cmd.exe net.exe PID 2864 wrote to memory of 832 2864 net.exe net1.exe PID 2864 wrote to memory of 832 2864 net.exe net1.exe PID 976 wrote to memory of 3464 976 cmd.exe net.exe PID 976 wrote to memory of 3464 976 cmd.exe net.exe PID 3464 wrote to memory of 2784 3464 net.exe net1.exe PID 3464 wrote to memory of 2784 3464 net.exe net1.exe PID 976 wrote to memory of 1848 976 cmd.exe net.exe PID 976 wrote to memory of 1848 976 cmd.exe net.exe PID 976 wrote to memory of 3212 976 cmd.exe net.exe PID 976 wrote to memory of 3212 976 cmd.exe net.exe PID 3212 wrote to memory of 3332 3212 net.exe net1.exe PID 3212 wrote to memory of 3332 3212 net.exe net1.exe PID 976 wrote to memory of 3236 976 cmd.exe net.exe PID 976 wrote to memory of 3236 976 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe"C:\Users\Admin\AppData\Local\Temp\711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8eb3dc7ab0a98909d994ebf09c18891e siIubRRiTk+y8IxrmhWjIw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2384-133-0x00000000027D0000-0x00000000027E6000-memory.dmpFilesize
88KB
-
memory/2384-134-0x0000000002DC0000-0x0000000002DCF000-memory.dmpFilesize
60KB
-
memory/3948-130-0x0000000000600000-0x0000000000628000-memory.dmpFilesize
160KB
-
memory/3948-131-0x00000000005D0000-0x00000000005D9000-memory.dmpFilesize
36KB
-
memory/3948-132-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB