Behavioral Report

max time kernel151s
max time network154s
platformwindows10-2004_x64
resourcewin10v2004-20220414-en
submitted21-05-2022 18:00

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

Filesize

305KB

Completed

21-05-2022 18:03

Task

behavioral1

Score

10^/10

MD5

eb9b532b8edac23726c27b76bf330e03

SHA1

a7aa6b9e089fd4f6845d84c7569e55eb3971c5e1

SHA256

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd

SHA256

0a721e387100f446bee4987f50ec6ca71312a239136f68912c8a677ea0530e2b9c008980bbe5402d3ed17df22a0dbfd0e833440c243b49745224669fbede050e

smokeloader backdoor evasion trojan

Extracted

Family	smokeloader
Version	2020
C2	https://ny-city-mall.com/search.php https://fresh-cars.net/search.php https://ny-city-mall.com/search.php https://fresh-cars.net/search.php
rc4.i32
rc4.i32

Defense Evasion

Discovery

Execution

Persistence

SmokeLoader

Description

Modular backdoor trojan in use since 2014.

Tags

trojan backdoor smokeloader
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service
Program crash
WerFault.exe

Reported IOCs

pid pid_target process target process

996 4232 WerFault.exe explorer.exe

pid	pid_target	process	target process
996	4232	WerFault.exe	explorer.exe

Checks SCSI registry key(s)

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

Description

SCSI information is often read in order to detect sandboxing environments.

TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

Enumerates processes with tasklist
tasklist.exe

TTPs

Process Discovery

Reported IOCs

pid process

3092 tasklist.exe
Gathers network information
ipconfig.exeipconfig.exeNETSTAT.EXENETSTAT.EXE

Description

Uses commandline utility to view network configuration.

TTPs

System Information DiscoveryCommand-Line Interface

Reported IOCs

pid process

744 ipconfig.exe
1892 ipconfig.exe
4648 NETSTAT.EXE
1236 NETSTAT.EXE
Gathers system information
systeminfo.exe

Description

Runs systeminfo.exe.

TTPs

System Information Discovery

Reported IOCs

pid process

2312 systeminfo.exe

pid	process
3092	tasklist.exe

pid	process
744	ipconfig.exe
1892	ipconfig.exe
4648	NETSTAT.EXE
1236	NETSTAT.EXE

pid	process
2312	systeminfo.exe

Modifies Internet Explorer settings

iexplore.exeIEXPLORE.EXE

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0FE003C4-D930-11EC-AD90-FA9902833152} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3829245710"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3833775964"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405b45e63c6dd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d14ee63c6dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3829245710"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000714ae7807ba8f850eb4bd8bf21f6bd458b01cb4a26b3152bbae0b11fa682da53000000000e80000000020000200000006a4b31e0361983ef64efcc84c21dcd4ee9536b4df6ad5ce54fdb017e13fb162d200000000f70b3374ef799d0ec43fdf8b1bb958dd7f890e8f0ea897c6cf954c91e29177240000000422d2a0daa50bd4b6795fa58e1d2a503bc7f899c9c12e30e75223b3f3e2839c2ea8d4f3697e126c11a41cf4a0b24b1cce878fbbd29dbee958367cda28f464489	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960956"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000eebdadc93fc2e2b81075e50b731b226494e47ad2a9ab1a638e27963cd0256a9f000000000e80000000020000200000005c41b5ecf2a6869cecd3299aebaa9339b5dffd877b0716e539a1627124686359200000004c187528f7d3d49e4a79b7f79206d29c144701cae68d6d3225085fbb6199288540000000f49b21eee5bd182c03481105b7878aac838c6bd3f1e06c7355e5b3a6879fbd3d93e2876bdf8e92658bd2b30d7c0dbc6e20349c26dcf39ec16cf8936863a025de	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359921073"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

Reported IOCs

pid	process
4192	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
4192	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092

Suspicious behavior: GetForegroundWindowSpam

Reported IOCs

pid process

2092

pid	process
2092

Suspicious behavior: MapViewOfSection

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

Reported IOCs

pid	process
4192	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
2092
2092
2092
2092
2092
2092
3960	explorer.exe
3960	explorer.exe
2092
2092
1044	explorer.exe
1044	explorer.exe
2092
2092
1872	explorer.exe
1872	explorer.exe
2092
2092
2944	explorer.exe
2944	explorer.exe
2092
2092
4636	explorer.exe
4636	explorer.exe
4636	explorer.exe
4636	explorer.exe
2092
2092
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe

Suspicious use of AdjustPrivilegeToken

WMIC.exeWMIC.exe

Reported IOCs

description	pid	process
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe
Token: SeSecurityPrivilege	4152	WMIC.exe
Token: SeTakeOwnershipPrivilege	4152	WMIC.exe
Token: SeLoadDriverPrivilege	4152	WMIC.exe
Token: SeSystemProfilePrivilege	4152	WMIC.exe
Token: SeSystemtimePrivilege	4152	WMIC.exe
Token: SeProfSingleProcessPrivilege	4152	WMIC.exe
Token: SeIncBasePriorityPrivilege	4152	WMIC.exe
Token: SeCreatePagefilePrivilege	4152	WMIC.exe
Token: SeBackupPrivilege	4152	WMIC.exe
Token: SeRestorePrivilege	4152	WMIC.exe
Token: SeShutdownPrivilege	4152	WMIC.exe
Token: SeDebugPrivilege	4152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4152	WMIC.exe
Token: SeRemoteShutdownPrivilege	4152	WMIC.exe
Token: SeUndockPrivilege	4152	WMIC.exe
Token: SeManageVolumePrivilege	4152	WMIC.exe
Token: 33	4152	WMIC.exe
Token: 34	4152	WMIC.exe
Token: 35	4152	WMIC.exe
Token: 36	4152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe
Token: SeSecurityPrivilege	4152	WMIC.exe
Token: SeTakeOwnershipPrivilege	4152	WMIC.exe
Token: SeLoadDriverPrivilege	4152	WMIC.exe
Token: SeSystemProfilePrivilege	4152	WMIC.exe
Token: SeSystemtimePrivilege	4152	WMIC.exe
Token: SeProfSingleProcessPrivilege	4152	WMIC.exe
Token: SeIncBasePriorityPrivilege	4152	WMIC.exe
Token: SeCreatePagefilePrivilege	4152	WMIC.exe
Token: SeBackupPrivilege	4152	WMIC.exe
Token: SeRestorePrivilege	4152	WMIC.exe
Token: SeShutdownPrivilege	4152	WMIC.exe
Token: SeDebugPrivilege	4152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4152	WMIC.exe
Token: SeRemoteShutdownPrivilege	4152	WMIC.exe
Token: SeUndockPrivilege	4152	WMIC.exe
Token: SeManageVolumePrivilege	4152	WMIC.exe
Token: 33	4152	WMIC.exe
Token: 34	4152	WMIC.exe
Token: 35	4152	WMIC.exe
Token: 36	4152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	256	WMIC.exe
Token: SeSecurityPrivilege	256	WMIC.exe
Token: SeTakeOwnershipPrivilege	256	WMIC.exe
Token: SeLoadDriverPrivilege	256	WMIC.exe
Token: SeSystemProfilePrivilege	256	WMIC.exe
Token: SeSystemtimePrivilege	256	WMIC.exe
Token: SeProfSingleProcessPrivilege	256	WMIC.exe
Token: SeIncBasePriorityPrivilege	256	WMIC.exe
Token: SeCreatePagefilePrivilege	256	WMIC.exe
Token: SeBackupPrivilege	256	WMIC.exe
Token: SeRestorePrivilege	256	WMIC.exe
Token: SeShutdownPrivilege	256	WMIC.exe
Token: SeDebugPrivilege	256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	256	WMIC.exe
Token: SeRemoteShutdownPrivilege	256	WMIC.exe
Token: SeUndockPrivilege	256	WMIC.exe
Token: SeManageVolumePrivilege	256	WMIC.exe
Token: 33	256	WMIC.exe
Token: 34	256	WMIC.exe
Token: 35	256	WMIC.exe
Token: 36	256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	256	WMIC.exe

Suspicious use of FindShellTrayWindow
iexplore.exe

Reported IOCs

pid process

400 iexplore.exe
Suspicious use of SetWindowsHookEx
iexplore.exeIEXPLORE.EXE

Reported IOCs

pid process

400 iexplore.exe
400 iexplore.exe
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE

pid	process
400	iexplore.exe

pid	process
400	iexplore.exe
400	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory

cmd.exenet.exenet.exenet.exenet.exenet.exe

Reported IOCs

description	pid	process	target process
PID 2092 wrote to memory of 4784	2092		cmd.exe
PID 2092 wrote to memory of 4784	2092		cmd.exe
PID 4784 wrote to memory of 4152	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4152	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 256	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 256	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 536	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 536	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4588	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4588	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3960	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3960	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 1168	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 1168	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3988	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3988	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3440	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3440	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4976	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4976	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 832	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 832	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3380	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3380	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4060	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4060	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4348	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4348	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4028	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4028	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 1892	4784	cmd.exe	ipconfig.exe
PID 4784 wrote to memory of 1892	4784	cmd.exe	ipconfig.exe
PID 4784 wrote to memory of 3572	4784	cmd.exe	ROUTE.EXE
PID 4784 wrote to memory of 3572	4784	cmd.exe	ROUTE.EXE
PID 4784 wrote to memory of 1152	4784	cmd.exe	netsh.exe
PID 4784 wrote to memory of 1152	4784	cmd.exe	netsh.exe
PID 4784 wrote to memory of 2312	4784	cmd.exe	systeminfo.exe
PID 4784 wrote to memory of 2312	4784	cmd.exe	systeminfo.exe
PID 4784 wrote to memory of 3092	4784	cmd.exe	tasklist.exe
PID 4784 wrote to memory of 3092	4784	cmd.exe	tasklist.exe
PID 4784 wrote to memory of 4556	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 4556	4784	cmd.exe	net.exe
PID 4556 wrote to memory of 3480	4556	net.exe	net1.exe
PID 4556 wrote to memory of 3480	4556	net.exe	net1.exe
PID 4784 wrote to memory of 2708	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 2708	4784	cmd.exe	net.exe
PID 2708 wrote to memory of 4932	2708	net.exe	net1.exe
PID 2708 wrote to memory of 4932	2708	net.exe	net1.exe
PID 4784 wrote to memory of 5116	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 5116	4784	cmd.exe	net.exe
PID 5116 wrote to memory of 4316	5116	net.exe	net1.exe
PID 5116 wrote to memory of 4316	5116	net.exe	net1.exe
PID 4784 wrote to memory of 2816	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 2816	4784	cmd.exe	net.exe
PID 2816 wrote to memory of 3108	2816	net.exe	net1.exe
PID 2816 wrote to memory of 3108	2816	net.exe	net1.exe
PID 4784 wrote to memory of 4080	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 4080	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 3364	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 3364	4784	cmd.exe	net.exe
PID 3364 wrote to memory of 4564	3364	net.exe	net1.exe
PID 3364 wrote to memory of 4564	3364	net.exe	net1.exe
PID 4784 wrote to memory of 4676	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 4676	4784	cmd.exe	net.exe

C:\Windows\system32\sihost.exe

sihost.exe

PID:2272

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

PID:4204

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

PID:3612

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

PID:3460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

PID:3396

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

PID:3292

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

PID:3084

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

PID:2444

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

PID:2288

C:\Users\Admin\AppData\Local\Temp\c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

"C:\Users\Admin\AppData\Local\Temp\c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe"

Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection

PID:4192

C:\Windows\system32\cmd.exe

cmd

Suspicious use of WriteProcessMemory

PID:4784

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv

Suspicious use of AdjustPrivilegeToken

PID:4152

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv

Suspicious use of AdjustPrivilegeToken

PID:256

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv

PID:536

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv

PID:4588

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv

PID:3960

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv

PID:1168

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv

PID:3988

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv

PID:3440

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv

PID:4976

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv

PID:832

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv

PID:3380

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv

PID:4060

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv

PID:4348

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv

PID:4028

C:\Windows\system32\ipconfig.exe

ipconfig /displaydns

Gathers network information

PID:1892

C:\Windows\system32\ROUTE.EXE

route print

PID:3572

C:\Windows\system32\netsh.exe

netsh firewall show state

PID:1152

C:\Windows\system32\systeminfo.exe

systeminfo

Gathers system information

PID:2312

C:\Windows\system32\tasklist.exe

tasklist /v

Enumerates processes with tasklist

PID:3092

C:\Windows\system32\net.exe

net accounts /domain

Suspicious use of WriteProcessMemory

PID:4556

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 accounts /domain

PID:3480

C:\Windows\system32\net.exe

net share

Suspicious use of WriteProcessMemory

PID:2708

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 share

PID:4932

C:\Windows\system32\net.exe

net user

Suspicious use of WriteProcessMemory

PID:5116

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

PID:4316

C:\Windows\system32\net.exe

net user /domain

Suspicious use of WriteProcessMemory

PID:2816

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /domain

PID:3108

C:\Windows\system32\net.exe

net use

PID:4080

C:\Windows\system32\net.exe

net group

Suspicious use of WriteProcessMemory

PID:3364

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 group

PID:4564

C:\Windows\system32\net.exe

net localgroup

PID:4676

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

PID:3844

C:\Windows\system32\NETSTAT.EXE

netstat -r

Gathers network information

PID:4648

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print

PID:380

C:\Windows\system32\ROUTE.EXE

C:\Windows\system32\route.exe print

PID:1012

C:\Windows\system32\NETSTAT.EXE

netstat -nao

Gathers network information

PID:1236

C:\Windows\system32\schtasks.exe

schtasks /query

PID:4812

C:\Windows\system32\ipconfig.exe

ipconfig /all

Gathers network information

PID:744

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

PID:4000

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

PID:4076

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx

PID:400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:2624

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

PID:4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 872

Program crash

PID:996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4232 -ip 4232

PID:2780

C:\Windows\explorer.exe

C:\Windows\explorer.exe

PID:4388

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious behavior: MapViewOfSection

PID:3960

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Suspicious behavior: MapViewOfSection

PID:1044

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious behavior: MapViewOfSection

PID:1872

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Suspicious behavior: MapViewOfSection

PID:2944

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious behavior: MapViewOfSection

PID:4636

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Suspicious behavior: MapViewOfSection

PID:2396

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
bd72dc52da415559c02553bb1e7bd3c3

SHA1
64e00d8ec1ecb62146f0a2349e9fab7e7cb48ac4

SHA256
ac706580ffcb98d6b28184b26f71eaca509846170a3dba74c2a48a646e8c8eed

SHA512
e6e90e6c60e0f1419a9c1ce4863f5ef93b03967c8e0a5ebe570e48556ff0bd097acfe43e25e10ec8f2a4377c134d9c1ccf233b89c1bdce0038a04ef869a82139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
790c27a2aa8786b37315becccba4b7fa

SHA1
612235d0bc228c66b1934db05fd3b0ae847a8fab

SHA256
fd718f5c44b747134c088831aa36cbec5a91e84b907850b4a96335ebd84863a4

SHA512
77889866b84ae75310e8af91a76c95f1313d273496ded939f0bdc436fa094bff2f47024bbe8bc7db92885e2ef552fc9a72c59031cac4ce7b5ac49fad264eb8ad

Download Submit
memory/256-137-0x0000000000000000-mapping.dmp

Download
memory/380-169-0x0000000000000000-mapping.dmp

Download
memory/536-138-0x0000000000000000-mapping.dmp

Download
memory/744-173-0x0000000000000000-mapping.dmp

Download
memory/832-145-0x0000000000000000-mapping.dmp

Download
memory/1012-170-0x0000000000000000-mapping.dmp

Download
memory/1044-177-0x0000000000000000-mapping.dmp

Download
memory/1152-152-0x0000000000000000-mapping.dmp

Download
memory/1168-141-0x0000000000000000-mapping.dmp

Download
memory/1236-171-0x0000000000000000-mapping.dmp

Download
memory/1872-178-0x0000000000000000-mapping.dmp

Download
memory/1892-150-0x0000000000000000-mapping.dmp

Download
memory/2092-134-0x00000000078F0000-0x00000000078FF000-memory.dmp

Download
memory/2092-133-0x0000000000780000-0x0000000000796000-memory.dmp

Download
memory/2312-153-0x0000000000000000-mapping.dmp

Download
memory/2396-181-0x0000000000000000-mapping.dmp

Download
memory/2708-157-0x0000000000000000-mapping.dmp

Download
memory/2816-161-0x0000000000000000-mapping.dmp

Download
memory/2944-179-0x0000000000000000-mapping.dmp

Download
memory/3092-154-0x0000000000000000-mapping.dmp

Download
memory/3108-162-0x0000000000000000-mapping.dmp

Download
memory/3364-164-0x0000000000000000-mapping.dmp

Download
memory/3380-146-0x0000000000000000-mapping.dmp

Download
memory/3440-143-0x0000000000000000-mapping.dmp

Download
memory/3480-156-0x0000000000000000-mapping.dmp

Download
memory/3572-151-0x0000000000000000-mapping.dmp

Download
memory/3844-167-0x0000000000000000-mapping.dmp

Download
memory/3960-176-0x0000000000000000-mapping.dmp

Download
memory/3960-140-0x0000000000000000-mapping.dmp

Download
memory/3988-142-0x0000000000000000-mapping.dmp

Download
memory/4028-149-0x0000000000000000-mapping.dmp

Download
memory/4060-147-0x0000000000000000-mapping.dmp

Download
memory/4080-163-0x0000000000000000-mapping.dmp

Download
memory/4152-136-0x0000000000000000-mapping.dmp

Download
memory/4192-131-0x00000000001F0000-0x00000000001F9000-memory.dmp

Download
memory/4192-132-0x0000000000400000-0x000000000048D000-memory.dmp

Download
memory/4192-130-0x0000000000622000-0x0000000000632000-memory.dmp

Download
memory/4232-174-0x0000000000000000-mapping.dmp

Download
memory/4316-160-0x0000000000000000-mapping.dmp

Download
memory/4348-148-0x0000000000000000-mapping.dmp

Download
memory/4388-175-0x0000000000000000-mapping.dmp

Download
memory/4556-155-0x0000000000000000-mapping.dmp

Download
memory/4564-165-0x0000000000000000-mapping.dmp

Download
memory/4588-139-0x0000000000000000-mapping.dmp

Download
memory/4636-180-0x0000000000000000-mapping.dmp

Download
memory/4648-168-0x0000000000000000-mapping.dmp

Download
memory/4676-166-0x0000000000000000-mapping.dmp

Download
memory/4784-135-0x0000000000000000-mapping.dmp

Download
memory/4812-172-0x0000000000000000-mapping.dmp

Download
memory/4932-158-0x0000000000000000-mapping.dmp

Download
memory/4976-144-0x0000000000000000-mapping.dmp

Download
memory/5116-159-0x0000000000000000-mapping.dmp

Download

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title