9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768

General

Target

iis_agent32.exe
Sample

191030-4jjvvmbgys
SHA256

9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768

Score

N/A

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

iis_agent32.exevssvc.exeWMIC.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	4868	iis_agent32.exe
Token: SeBackupPrivilege	5112	vssvc.exe
Token: SeRestorePrivilege	5112	vssvc.exe
Token: SeAuditPrivilege	5112	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4280	WMIC.exe
Token: SeSecurityPrivilege	4280	WMIC.exe
Token: SeTakeOwnershipPrivilege	4280	WMIC.exe
Token: SeLoadDriverPrivilege	4280	WMIC.exe
Token: SeSystemProfilePrivilege	4280	WMIC.exe
Token: SeSystemtimePrivilege	4280	WMIC.exe
Token: SeProfSingleProcessPrivilege	4280	WMIC.exe
Token: SeIncBasePriorityPrivilege	4280	WMIC.exe
Token: SeCreatePagefilePrivilege	4280	WMIC.exe
Token: SeBackupPrivilege	4280	WMIC.exe
Token: SeRestorePrivilege	4280	WMIC.exe
Token: SeShutdownPrivilege	4280	WMIC.exe
Token: SeDebugPrivilege	4280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4280	WMIC.exe
Token: SeRemoteShutdownPrivilege	4280	WMIC.exe
Token: SeUndockPrivilege	4280	WMIC.exe
Token: SeManageVolumePrivilege	4280	WMIC.exe
Token: 33	4280	WMIC.exe
Token: 34	4280	WMIC.exe
Token: 35	4280	WMIC.exe
Token: 36	4280	WMIC.exe
Token: SeSecurityPrivilege	4600	wevtutil.exe
Token: SeBackupPrivilege	4600	wevtutil.exe
Token: SeSecurityPrivilege	1624	wevtutil.exe
Token: SeBackupPrivilege	1624	wevtutil.exe
Token: SeSecurityPrivilege	4688	wevtutil.exe
Token: SeBackupPrivilege	4688	wevtutil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

iis_agent32.exeSppExtComObj.exe

description	pid	process	target process
PID 4868 wrote to memory of 5044	4868	iis_agent32.exe	cmd.exe
PID 4868 wrote to memory of 360	4868	iis_agent32.exe	cmd.exe
PID 4868 wrote to memory of 3980	4868	iis_agent32.exe	cmd.exe
PID 4868 wrote to memory of 4472	4868	iis_agent32.exe	cmd.exe
PID 4868 wrote to memory of 3636	4868	iis_agent32.exe	cmd.exe
PID 4868 wrote to memory of 4548	4868	iis_agent32.exe	cmd.exe
PID 4868 wrote to memory of 4656	4868	iis_agent32.exe	cmd.exe
PID 4624 wrote to memory of 4308	4624	SppExtComObj.exe	SLUI.exe

Deletes shadow copies 2 TTPs 2 IoCs
ransomware

Inhibit System Recovery
T1490

Processes:

vssadmin.exeWMIC.exe

pid process

5084 vssadmin.exe
4280 WMIC.exe

pid	process
5084	vssadmin.exe
4280	WMIC.exe

Uses Volume Shadow Copy Service COM API 14 IoCs

ransomware

Processes:

vssadmin.exevssvc.exe

description	ioc	pid	process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	5084	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	5084	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	5084	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	5084	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32	5084	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	5084	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	5084	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	5112	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}	5112	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs	5112	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\	5112	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32	5112	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32	5112	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler	5112	vssvc.exe

Modifies Boot Configuration Data 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4444 bcdedit.exe
3664 bcdedit.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

iis_agent32.exe

pid process

4868 iis_agent32.exe

pid	process
4444	bcdedit.exe
3664	bcdedit.exe

pid	process
4868	iis_agent32.exe

Drops file in system dir 64 IoCs

Processes:

iis_agent32.exe

description	ioc	pid	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Zenis-I8.I8k3kxIQMlHx	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Zenis-7k.7k4jE28DkNh5	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Zenis-N1.N1SmcN7tibcv	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Zenis-XA.XA4AivCuS7Qn	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Zenis-9W.9WoXaPDKOJby	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Zenis-Hi.HiLhmPSl2vOW	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Zenis-WN.WNueQuJAzCmC	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\Zenis-2D.2DgSjQYCicNZ	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\Zenis-Is.IsFPOvOafumF	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\Zenis-h8.h8K9GJWSlf7E	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\Zenis-Instructions.html	4868	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\Zenis-Instructions.html	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Zenis-DW.DWCYRUY058ZA	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-SB.SBlU5zPP1Qyr	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-QE.QEhGBRaqwWwX	4868	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	4868	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf => C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-sz.szvpp1KniEAQ	4868	iis_agent32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	992	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	992	svchost.exe

Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

4600 wevtutil.exe
1624 wevtutil.exe
4688 wevtutil.exe

pid	process
4600	wevtutil.exe
1624	wevtutil.exe
4688	wevtutil.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4968	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4968	svchost.exe

C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe
"C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops file in system dir
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /Quiet
1⤵
PID:5044

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /Quiet
1⤵
- Deletes shadow copies
- Uses Volume Shadow Copy Service COM API
PID:5084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Uses Volume Shadow Copy Service COM API
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC.exe shadowcopy delete
1⤵
PID:360

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:4280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} recoveryenabled no
1⤵
PID:3980

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} recoveryenabled no
1⤵
- Modifies Boot Configuration Data
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
PID:4472

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies Boot Configuration Data
PID:3664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Application
1⤵
PID:3636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:4600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Security
1⤵
PID:4548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl System
1⤵
PID:4656

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:4688

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4308

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:4024

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4832

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4968

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:992