quasar | 178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de

System Information Discovery

Processes:

Ejwkpjr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ejwkpjr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ejwkpjr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
behavioral2/memory/3876-143-0x00007FF6E6580000-0x00007FF6E75F6000-memory.dmp	themida
behavioral2/memory/3876-144-0x00007FF6E6580000-0x00007FF6E75F6000-memory.dmp	themida
behavioral2/memory/3876-145-0x00007FF6E6580000-0x00007FF6E75F6000-memory.dmp	themida
behavioral2/memory/3876-146-0x00007FF6E6580000-0x00007FF6E75F6000-memory.dmp	themida
behavioral2/memory/3876-147-0x00007FF6E6580000-0x00007FF6E75F6000-memory.dmp	themida
behavioral2/memory/3876-149-0x00007FF6E6580000-0x00007FF6E75F6000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Ejwkpjr.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ejwkpjr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ejwkpjr.exe

Drops file in System32 directory 2 IoCs

Processes:

Ijgfvrk.exe

description	ioc	process
File created	C:\Windows\system32\Windows\MicrosoftSupport.exe	Ijgfvrk.exe
File opened for modification	C:\Windows\system32\Windows\MicrosoftSupport.exe	Ijgfvrk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Ejwkpjr.exe

pid process

3876 Ejwkpjr.exe

pid	process
3876	Ejwkpjr.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3316 3876 WerFault.exe Ejwkpjr.exe

pid	pid_target	process	target process
3316	3876	WerFault.exe	Ejwkpjr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

MusNotifyIcon.exeWerFault.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2100 schtasks.exe

pid	process
2100	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.110865"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4296"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4384"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895926678249817"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.003713"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.197005"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Ejwkpjr.exeWerFault.exe

pid process

3876 Ejwkpjr.exe
3876 Ejwkpjr.exe
3316 WerFault.exe
3316 WerFault.exe

pid	process
3876	Ejwkpjr.exe
3876	Ejwkpjr.exe
3316	WerFault.exe
3316	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Ijgfvrk.exeTiWorker.exeEjwkpjr.exe

description	pid	process
Token: SeDebugPrivilege	1580	Ijgfvrk.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeDebugPrivilege	3876	Ejwkpjr.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe
Token: SeSecurityPrivilege	620	TiWorker.exe
Token: SeBackupPrivilege	620	TiWorker.exe
Token: SeRestorePrivilege	620	TiWorker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exeWerFault.exeIjgfvrk.exe

description	pid	process	target process
PID 3024 wrote to memory of 1580	3024	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ijgfvrk.exe
PID 3024 wrote to memory of 1580	3024	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ijgfvrk.exe
PID 3024 wrote to memory of 3876	3024	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ejwkpjr.exe
PID 3024 wrote to memory of 3876	3024	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ejwkpjr.exe
PID 776 wrote to memory of 3876	776	WerFault.exe	Ejwkpjr.exe
PID 776 wrote to memory of 3876	776	WerFault.exe	Ejwkpjr.exe
PID 1580 wrote to memory of 2100	1580	Ijgfvrk.exe	schtasks.exe
PID 1580 wrote to memory of 2100	1580	Ijgfvrk.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe
"C:\Users\Admin\AppData\Local\Temp\178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe
"C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Support" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2100

C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe
"C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3876 -s 720
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3316

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2504

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 368 -p 3876 -ip 3876
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

5

System Information Discovery

6

Virtualization/Sandbox Evasion