44caliber | eb18e1c355e002f0589621dd7f67605004874c016ac7e3f3ea93ee0092a183ff

Analysis

max time kernel
48s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CLModdingTool.exe
Size

2.8MB
MD5

3e8467e2688b2efa61f59f22f809f1e0
SHA1

a6c5df599e482932d3beda04c8ec6280fe6d68e8
SHA256

eb18e1c355e002f0589621dd7f67605004874c016ac7e3f3ea93ee0092a183ff
SHA512

43c252147ac8e63ad28d672ef866608af523e73991093d650b61a40c55b7415208bc472d29e6e8c650ca580b0b71ff35af0e4945d387e242878a114ea84883d5
SSDEEP

49152:9svNXfFAw+qqIlu3Ab7AUziVj3djevc2FmpLAcyxEDIUqsfix5b4qPcxxKppk:9sdfmZIllvYj3djeUHhaESV5b4qPIKLk

Score

10^/10

44caliber xworm evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1239664839861731431/VT6K0qlAVUjcvrSdaA7o80cVaJyetsfS1bh1v1T-yNWgA-Xp45pD3IwxPT8-ZVpBj_mb

Extracted

Family

xworm

Version

5.0

central-feb.gl.at.ply.gg:50764

Mutex

v9noCapeVzXu1P4f

Attributes

Install_directory
%AppData%
install_file
ModsInstaller.exe

aes.plain

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ModsPack.exe	family_xworm
behavioral2/memory/4432-47-0x0000000000840000-0x0000000000878000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2556 powershell.exe
2164 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2556	powershell.exe
2164	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CLModdingTool.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CLModdingTool.exe

Drops startup file 2 IoCs

Processes:

ModsPack.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModsInstaller.lnk	ModsPack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModsInstaller.lnk	ModsPack.exe

Executes dropped EXE 5 IoCs

Processes:

ClokaHelper.exeClockModdingToolInstaller.exeModsPack.execlockamoddingtool.exegmstcccpdzbb.exe

pid process

5096 ClokaHelper.exe
3460 ClockModdingToolInstaller.exe
4432 ModsPack.exe
3404 clockamoddingtool.exe
1388 gmstcccpdzbb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ModsPack.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ModsInstaller = "C:\\Users\\Admin\\AppData\\Roaming\\ModsInstaller.exe"	ModsPack.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 freegeoip.app
44 freegeoip.app
53 ip-api.com

flow	ioc
42	freegeoip.app
44	freegeoip.app
53	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

ClockModdingToolInstaller.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	ClockModdingToolInstaller.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ClockModdingToolInstaller.exe

description pid process target process

PID 3460 set thread context of 2092 3460 ClockModdingToolInstaller.exe dialer.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe

description	pid	process	target process
PID 3460 set thread context of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4960	sc.exe
5792	sc.exe
5180	sc.exe
5532	sc.exe
1428	sc.exe
5100	sc.exe
2808	sc.exe
2888	sc.exe
2472	sc.exe
1980	sc.exe
4552	sc.exe
3128	sc.exe
6000	sc.exe
5884	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exemousocoreworker.exeClokaHelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ClokaHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ClokaHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

powershell.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02tqizjznlcunvbb\Provision Tuesday, May 14, 2024 10:24:58 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAlOhg+TnVyEqnpU7UmankpgAAAAACAAAAAAAQZgAAAAEAACAAAAC7baYdvpwJlNHN0mVCKKH/9SD+v/IGW8qUixerkOmiwgAAAAAOgAAAAAIAACAAAACkuwFZfHKY3ZZMyWFYABQalTwQ3P1KyhyZ9f7PmJIq7SAAAAB8jLDsDhTjJttACEoV+su38K61qElOGLHxMOkP9RAVN0AAAADiqtXVfLA+bWXxcLZliOk8EEvX4zXG9MURcZdB9Rk8+viKWK7TadDGWeybLOtCt2r+zVyjHOKVNi5sP6R2j/fw"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02drrjiezxqyzfah	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02asdkrontzbptlt	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02tqizjznlcunvbb	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02asdkrontzbptlt\Provision Tuesday, May 14, 2024 10:24:55 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAlOhg+TnVyEqnpU7UmankpgAAAAACAAAAAAAQZgAAAAEAACAAAADyjVuGHUs6p+6tbAM66/ydcKaveP1/pXop+ycOTUjBCQAAAAAOgAAAAAIAACAAAAC0kxrYn5SDOlAC8gtdLnHh/x7naBWQietgtTJEWlRt3yAAAAB0YFlGUJ2ngNju/sQuBxW6+OrVdVNLrNlUbWJCPyuKbUAAAABhJNw8cZU08Y3Dg35txYMWXDm21Aa5jWWpJvijQhXFySHsF36NxOKpe6mm/DodlZNks0DFobCLTaA+7H6L23mf"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02drrjiezxqyzfah\Provision Tuesday, May 14, 2024 10:24:58 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAlOhg+TnVyEqnpU7UmankpgAAAAACAAAAAAAQZgAAAAEAACAAAACs1vCIQSDqG7vol+NVhxeNa/AekZ21/PS7gzdC5I1JPQAAAAAOgAAAAAIAACAAAADcpgSBYy7CgctrmSCX8mO1JF7+yoQvf2hCw+0dvSAhQCAAAAAhe4bf2qpNglDIf8MxS/DkjUNhIE/k+wvpk0eIINv5+EAAAACl+vJxcMirfOE5aGJPNbUtfq2cAR3dhY+6FN0XfHnEPqBcTbG0HK61Z+d7uamV3K10ORH42yBaetsuv9pCxvvk"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

sihost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ClokaHelper.exeClockModdingToolInstaller.exepowershell.exedialer.exeModsPack.exegmstcccpdzbb.exepowershell.exewmiprvse.exe

pid	process
5096	ClokaHelper.exe
5096	ClokaHelper.exe
5096	ClokaHelper.exe
5096	ClokaHelper.exe
3460	ClockModdingToolInstaller.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
2092	dialer.exe
2092	dialer.exe
3460	ClockModdingToolInstaller.exe
4432	ModsPack.exe
4432	ModsPack.exe
3460	ClockModdingToolInstaller.exe
3460	ClockModdingToolInstaller.exe
1388	gmstcccpdzbb.exe
2092	dialer.exe
2092	dialer.exe
5096	ClokaHelper.exe
5096	ClokaHelper.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
2092	dialer.exe
2092	dialer.exe
1076	wmiprvse.exe
1076	wmiprvse.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2164	powershell.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2164	powershell.exe
2164	powershell.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe
2092	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ClokaHelper.exeModsPack.exepowershell.exepowercfg.exeClockModdingToolInstaller.exedialer.exepowercfg.exepowercfg.exepowershell.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5096	ClokaHelper.exe
Token: SeDebugPrivilege	4432	ModsPack.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeShutdownPrivilege	4404	powercfg.exe
Token: SeCreatePagefilePrivilege	4404	powercfg.exe
Token: SeDebugPrivilege	3460	ClockModdingToolInstaller.exe
Token: SeDebugPrivilege	2092	dialer.exe
Token: SeShutdownPrivilege	4924	powercfg.exe
Token: SeCreatePagefilePrivilege	4924	powercfg.exe
Token: SeShutdownPrivilege	1448	powercfg.exe
Token: SeCreatePagefilePrivilege	1448	powercfg.exe
Token: SeDebugPrivilege	4432	ModsPack.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2748	svchost.exe
Token: SeIncreaseQuotaPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeLoadDriverPrivilege	2748	svchost.exe
Token: SeSystemtimePrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeRestorePrivilege	2748	svchost.exe
Token: SeShutdownPrivilege	2748	svchost.exe
Token: SeSystemEnvironmentPrivilege	2748	svchost.exe
Token: SeUndockPrivilege	2748	svchost.exe
Token: SeManageVolumePrivilege	2748	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2748	svchost.exe
Token: SeIncreaseQuotaPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeLoadDriverPrivilege	2748	svchost.exe
Token: SeSystemtimePrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeRestorePrivilege	2748	svchost.exe
Token: SeShutdownPrivilege	2748	svchost.exe
Token: SeSystemEnvironmentPrivilege	2748	svchost.exe
Token: SeUndockPrivilege	2748	svchost.exe
Token: SeManageVolumePrivilege	2748	svchost.exe
Token: SeAuditPrivilege	2184	svchost.exe
Token: SeAuditPrivilege	2688	svchost.exe
Token: SeAuditPrivilege	2688	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2748	svchost.exe
Token: SeIncreaseQuotaPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeLoadDriverPrivilege	2748	svchost.exe
Token: SeSystemtimePrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeRestorePrivilege	2748	svchost.exe
Token: SeShutdownPrivilege	2748	svchost.exe
Token: SeSystemEnvironmentPrivilege	2748	svchost.exe
Token: SeUndockPrivilege	2748	svchost.exe
Token: SeManageVolumePrivilege	2748	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2748	svchost.exe
Token: SeIncreaseQuotaPrivilege	2748	svchost.exe
Token: SeSecurityPrivilege	2748	svchost.exe
Token: SeTakeOwnershipPrivilege	2748	svchost.exe
Token: SeLoadDriverPrivilege	2748	svchost.exe
Token: SeSystemtimePrivilege	2748	svchost.exe
Token: SeBackupPrivilege	2748	svchost.exe
Token: SeRestorePrivilege	2748	svchost.exe
Token: SeShutdownPrivilege	2748	svchost.exe
Token: SeSystemEnvironmentPrivilege	2748	svchost.exe
Token: SeUndockPrivilege	2748	svchost.exe
Token: SeManageVolumePrivilege	2748	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

CLModdingTool.execlockamoddingtool.exe

pid process

1372 CLModdingTool.exe
3404 clockamoddingtool.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ModsPack.exe

pid process

4432 ModsPack.exe

pid	process
1372	CLModdingTool.exe
3404	clockamoddingtool.exe

pid	process
4432	ModsPack.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CLModdingTool.execmd.exeClockModdingToolInstaller.exedialer.exe

description	pid	process	target process
PID 1372 wrote to memory of 5096	1372	CLModdingTool.exe	ClokaHelper.exe
PID 1372 wrote to memory of 5096	1372	CLModdingTool.exe	ClokaHelper.exe
PID 1372 wrote to memory of 3460	1372	CLModdingTool.exe	ClockModdingToolInstaller.exe
PID 1372 wrote to memory of 3460	1372	CLModdingTool.exe	ClockModdingToolInstaller.exe
PID 1372 wrote to memory of 4432	1372	CLModdingTool.exe	ModsPack.exe
PID 1372 wrote to memory of 4432	1372	CLModdingTool.exe	ModsPack.exe
PID 1372 wrote to memory of 3404	1372	CLModdingTool.exe	clockamoddingtool.exe
PID 1372 wrote to memory of 3404	1372	CLModdingTool.exe	clockamoddingtool.exe
PID 1372 wrote to memory of 3404	1372	CLModdingTool.exe	clockamoddingtool.exe
PID 2588 wrote to memory of 4732	2588	cmd.exe	wusa.exe
PID 2588 wrote to memory of 4732	2588	cmd.exe	wusa.exe
PID 3460 wrote to memory of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe
PID 3460 wrote to memory of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe
PID 3460 wrote to memory of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe
PID 3460 wrote to memory of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe
PID 3460 wrote to memory of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe
PID 3460 wrote to memory of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe
PID 3460 wrote to memory of 2092	3460	ClockModdingToolInstaller.exe	dialer.exe
PID 2092 wrote to memory of 628	2092	dialer.exe	winlogon.exe
PID 2092 wrote to memory of 688	2092	dialer.exe	lsass.exe
PID 2092 wrote to memory of 964	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 392	2092	dialer.exe	dwm.exe
PID 2092 wrote to memory of 752	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 696	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1048	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1084	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1104	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1196	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1232	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1292	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1344	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1352	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1400	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1496	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1512	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1536	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1676	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1720	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1756	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1820	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1872	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1908	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 1936	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2028	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2044	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2064	2092	dialer.exe	spoolsv.exe
PID 2092 wrote to memory of 2184	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2200	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2416	2092	dialer.exe	sihost.exe
PID 2092 wrote to memory of 2448	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2484	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2492	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2520	2092	dialer.exe	taskhostw.exe
PID 2092 wrote to memory of 2608	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2688	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2708	2092	dialer.exe	sysmon.exe
PID 2092 wrote to memory of 2732	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2748	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2756	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2780	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 2904	2092	dialer.exe	svchost.exe
PID 2092 wrote to memory of 704	2092	dialer.exe	unsecapp.exe
PID 2092 wrote to memory of 3332	2092	dialer.exe	Explorer.EXE
PID 2092 wrote to memory of 3468	2092	dialer.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:392

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1196

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
- Modifies registry class
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2904

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:704

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\CLModdingTool.exe
"C:\Users\Admin\AppData\Local\Temp\CLModdingTool.exe"
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\ClokaHelper.exe
"C:\Users\Admin\AppData\Local\Temp\ClokaHelper.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:4732

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:1428

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2888

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:2472

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:5100

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:4960

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:60

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CVKCQNWB"
4⤵
- Launches sc.exe
PID:1980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CVKCQNWB" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4552

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CVKCQNWB"
4⤵
- Launches sc.exe
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\ModsPack.exe
"C:\Users\Admin\AppData\Local\Temp\ModsPack.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe
"C:\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3732

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1240

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2072

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffce2632e98,0x7ffce2632ea4,0x7ffce2632eb0
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2936 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:3
2⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
2⤵
PID:5204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1572

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2244

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8f28368c188c99b93b69ffb4f95289b3 ikm+TZay60mp/koIVYbW0g.0.1.0.0.0
1⤵
PID:4420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4792

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4360

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
PID:1556

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5460

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5796

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5180

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5792

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:6000

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:5532

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:5884

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:6092

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:4544

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:6128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:6140

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:3784

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:1624

C:\Windows\system32\dialer.exe
dialer.exe
2⤵
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
b79191de87cdf691a3959b68ccc68fb0

SHA1
6905240c89783fb4484a3ccbded03483e6e04527

SHA256
54f804efedad7a17be8e6c7982ef8eb97499d025b42bee3d5912aa103aba9ec2

SHA512
9f834cc0ec0e1879c71618068f2e640393744d3eeb8e6cedbc438b382d8a28802acc45d5dc142535517c1b149c2b31a4ee9ea30347f4f6c46fab7bf8abd6c723

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe
Filesize
2.8MB

MD5
ea1cd01967246105d1df5dd754c18652

SHA1
9f8f3d3bd6a8ffe090b20681afc6cd4db5c8f6fc

SHA256
64c476205c0ef86807d824120fa30cd0c5ca12c6bf629d311269362b8beb6d1e

SHA512
609d4628eb2bb9a33d602fd7520c0a05ca5026f6d595d9d21fa845ea740618f7f5da43a4cdd65bbd47c5b3b8a26b42ef7d0fe4431c9e57fda6030f7ddd2e796f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClokaHelper.exe
Filesize
274KB

MD5
0c36ba36eb375ad5dd4caf9f5d9dc986

SHA1
120aea60169664c91fc822b6686806c018df5c2d

SHA256
b74bb17ed58c3949175b5c0f2afcb5107030b08a863c0650a9ca933ae34a6944

SHA512
d30441b58c0e6192e669f1ec2b41799a088ddc8860e50c2151ae817cb07547f7e4df3b5984a3aaf82838ff628ff39d083bcf22cc6b85ad3751fee1a3cdc16409

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModsPack.exe
Filesize
205KB

MD5
be7caa55623b12b1eedc4065ea0448e9

SHA1
6adac34012f95232b12961e34ddace02beaeb4d8

SHA256
0d44972799c41fbeabeb1d539e6108a4e553f118951f5825626fe7e13785dc9e

SHA512
3b101a1f263204f7e0d09d03b51b3c19a52c59309818fc6ec0646a61b368c786939e9d45cb6303c8742a7c6a47594a2bbefbd835cada6b57ab02a18eb6b0c219

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyvzzpy1.0l1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe
Filesize
29KB

MD5
99513e6a542dda990564077a4295f3ae

SHA1
2e0dd1b6e1e1b0fe7489cced98ed5bbef5fccc46

SHA256
a463a392698a6502f64dfc092068b1ea880846ed24e261edf29f6546462fa7c9

SHA512
564a2d4404146cd91b4edc4acaed4c388457b97445d1cea7f5a9a41007c6feb170e8ae88704fc00eb4a33ea999db6c1d49af577405ee3729ed764bdf97507d9b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
746B

MD5
fda591977b072f6cfef3f279d5c77f06

SHA1
1a1d7161f7f6397346e8bce5f95ac0788942abdd

SHA256
78eb4b5b1bc70369f2f3e31330b86f686278ddb532bd0c7d4fbceeb5c7e88930

SHA512
ca53a583540964ec3fb49b0f47960ec547098737bc74e2bf51943cc68a12f13dd029ccbb33530e2ba22c4c7f2f12e076aae4573e39585a48dff5c4ce187b2928

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
36e88526c7be54984c8aed66f3b78592

SHA1
0142c72bc2ee0a0548af1b8a71b86a86d8fb53f0

SHA256
f92a5f4563556de1462bcd24ceda2f93e6416a211471cc7ff7714d2a8fff3cba

SHA512
bbc6b2b0586d91773ffb5e43069c67297219ba570394f8413cdfb65ca399d8669f3c0c202c4993351ae7db63549d1d7a2e5d86745f6ac09b5ef1e747cc3e3f1c

Download Submit
memory/392-119-0x00000204A6850000-0x00000204A687B000-memory.dmp

Filesize
172KB

Download
memory/392-120-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/628-117-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/628-109-0x000001D6BA350000-0x000001D6BA374000-memory.dmp

Filesize
144KB

Download
memory/628-116-0x000001D6BA380000-0x000001D6BA3AB000-memory.dmp

Filesize
172KB

Download
memory/688-112-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/688-111-0x0000021917CB0000-0x0000021917CDB000-memory.dmp

Filesize
172KB

Download
memory/696-170-0x000001E2ADF40000-0x000001E2ADF6B000-memory.dmp

Filesize
172KB

Download
memory/696-171-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/752-177-0x00000224D0990000-0x00000224D09BB000-memory.dmp

Filesize
172KB

Download
memory/752-178-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/964-174-0x000001956FFD0000-0x000001956FFFB000-memory.dmp

Filesize
172KB

Download
memory/964-175-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1048-196-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1048-195-0x0000026C07C90000-0x0000026C07CBB000-memory.dmp

Filesize
172KB

Download
memory/1084-199-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1084-198-0x00000260A0170000-0x00000260A019B000-memory.dmp

Filesize
172KB

Download
memory/1104-258-0x000001BCE1540000-0x000001BCE156B000-memory.dmp

Filesize
172KB

Download
memory/1104-259-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1196-261-0x000001844D490000-0x000001844D4BB000-memory.dmp

Filesize
172KB

Download
memory/1196-262-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1232-264-0x000001AA8FAC0000-0x000001AA8FAEB000-memory.dmp

Filesize
172KB

Download
memory/1232-265-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/1292-268-0x0000022D91B40000-0x0000022D91B6B000-memory.dmp

Filesize
172KB

Download
memory/1292-269-0x00007FFCC7D90000-0x00007FFCC7DA0000-memory.dmp

Filesize
64KB

Download
memory/2092-91-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2092-94-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2092-97-0x00007FFD07D10000-0x00007FFD07F05000-memory.dmp

Filesize
2.0MB

Download
memory/2092-96-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2092-93-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2092-92-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2092-98-0x00007FFD07880000-0x00007FFD0793E000-memory.dmp

Filesize
760KB

Download
memory/2092-106-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2164-529-0x00000249AEC20000-0x00000249AEC3C000-memory.dmp

Filesize
112KB

Download
memory/2164-552-0x00000249AEC60000-0x00000249AEC7A000-memory.dmp

Filesize
104KB

Download
memory/2164-555-0x00000249AEC50000-0x00000249AEC5A000-memory.dmp

Filesize
40KB

Download
memory/2164-554-0x00000249AEC40000-0x00000249AEC46000-memory.dmp

Filesize
24KB

Download
memory/2164-553-0x00000249AEC10000-0x00000249AEC18000-memory.dmp

Filesize
32KB

Download
memory/2164-548-0x00000249AEC00000-0x00000249AEC0A000-memory.dmp

Filesize
40KB

Download
memory/2164-528-0x00000249AEAB0000-0x00000249AEABA000-memory.dmp

Filesize
40KB

Download
memory/2164-527-0x00000249AE9F0000-0x00000249AEAA5000-memory.dmp

Filesize
724KB

Download
memory/2164-526-0x00000249AE9D0000-0x00000249AE9EC000-memory.dmp

Filesize
112KB

Download
memory/2556-80-0x0000014916370000-0x0000014916392000-memory.dmp

Filesize
136KB

Download
memory/3404-516-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/3404-77-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/3404-75-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/3404-76-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/4432-47-0x0000000000840000-0x0000000000878000-memory.dmp

Filesize
224KB

Download
memory/4432-48-0x00007FFCE7BB0000-0x00007FFCE8671000-memory.dmp

Filesize
10.8MB

Download
memory/4432-832-0x00007FFCE7BB0000-0x00007FFCE8671000-memory.dmp

Filesize
10.8MB

Download
memory/5096-45-0x000002033E500000-0x000002033E54A000-memory.dmp

Filesize
296KB

Download
memory/5096-44-0x00007FFCE7BB3000-0x00007FFCE7BB5000-memory.dmp

Filesize
8KB

Download