427abc2035bd94beb2512e021757f81b9fbac201eb72018296889a8509e56072

System Information Discovery

Processes:

StartMenuExperienceHost.exea00b8f8bc69f5c71136f4f4dc60e6ac0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2852-132-0x00000000008F0000-0x00000000011C6000-memory.dmp	themida
behavioral2/memory/2852-133-0x00000000008F0000-0x00000000011C6000-memory.dmp	themida
C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe	themida
C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe	themida
behavioral2/memory/4072-142-0x0000000000F80000-0x0000000001856000-memory.dmp	themida
behavioral2/memory/4072-143-0x0000000000F80000-0x0000000001856000-memory.dmp	themida

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\KBDLT\\SppExtComObj.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\StartMenuExperienceHost.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\fms\\fontdrvhost.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\playtomenu\\dwm.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\WpPortingLibrary\\lsass.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\HelpPane\\explorer.exe\""	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exeStartMenuExperienceHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe

Drops file in System32 directory 8 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WpPortingLibrary\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File opened for modification	C:\Windows\SysWOW64\fms\fontdrvhost.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Windows\SysWOW64\fms\5b884080fd4f94e2695da25c503f9e33b9605b83	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File opened for modification	C:\Windows\SysWOW64\playtomenu\dwm.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Windows\SysWOW64\playtomenu\6cb0b6c459d5d3455a3da700e713f2e2529862ff	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File opened for modification	C:\Windows\SysWOW64\KBDLT\SppExtComObj.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Windows\SysWOW64\KBDLT\e1ef82546f0b02b7e974f28047f3788b1128cce1	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File opened for modification	C:\Windows\SysWOW64\WpPortingLibrary\lsass.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exeStartMenuExperienceHost.exe

pid process

2852 a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
4072 StartMenuExperienceHost.exe

Drops file in Program Files directory 4 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\55b276f4edf653fe07efe8f1ecc32d3d195abd16	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities\OfficeClickToRun.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities\e6c9b481da804f07baff8eff543b0a1441069b5d	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Drops file in Windows directory 7 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\HelpPane\explorer.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Windows\HelpPane\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\55b276f4edf653fe07efe8f1ecc32d3d195abd16	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File opened for modification	C:\Windows\DtcInstall\explorer.exe	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
File created	C:\Windows\DtcInstall\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2168	schtasks.exe
2588	schtasks.exe
3964	schtasks.exe
560	schtasks.exe
3344	schtasks.exe
3872	schtasks.exe
3184	schtasks.exe
1948	schtasks.exe
8	schtasks.exe
4076	schtasks.exe
3000	schtasks.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.597565"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887261953770952"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3912"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe

Modifies registry class 1 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

pid	process
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.exeStartMenuExperienceHost.exe

description pid process

Token: SeDebugPrivilege 2852 a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Token: SeDebugPrivilege 4072 StartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
Token: SeDebugPrivilege	4072	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a00b8f8bc69f5c71136f4f4dc60e6ac0.execmd.exew32tm.exe

description	pid	process	target process
PID 2852 wrote to memory of 1572	2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe	cmd.exe
PID 2852 wrote to memory of 1572	2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe	cmd.exe
PID 2852 wrote to memory of 1572	2852	a00b8f8bc69f5c71136f4f4dc60e6ac0.exe	cmd.exe
PID 1572 wrote to memory of 3448	1572	cmd.exe	w32tm.exe
PID 1572 wrote to memory of 3448	1572	cmd.exe	w32tm.exe
PID 1572 wrote to memory of 3448	1572	cmd.exe	w32tm.exe
PID 3448 wrote to memory of 1380	3448	w32tm.exe	w32tm.exe
PID 3448 wrote to memory of 1380	3448	w32tm.exe	w32tm.exe
PID 1572 wrote to memory of 4072	1572	cmd.exe	StartMenuExperienceHost.exe
PID 1572 wrote to memory of 4072	1572	cmd.exe	StartMenuExperienceHost.exe
PID 1572 wrote to memory of 4072	1572	cmd.exe	StartMenuExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\a00b8f8bc69f5c71136f4f4dc60e6ac0.exe
"C:\Users\Admin\AppData\Local\Temp\a00b8f8bc69f5c71136f4f4dc60e6ac0.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\deRodmE1iE.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:1380

C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\playtomenu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\KBDLT\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\WpPortingLibrary\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\HelpPane\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\fms\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

4

Virtualization/Sandbox Evasion

T1497

System Information Discovery

5