109dab92d97421b95132798bcb3fbd2f0194d52426601fe21f1f1d0e77431bd7

Analysis

max time kernel
1801s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Microsoft_crypt.exe
Size

2.7MB
MD5

6daeeadf00855bb08838f08c38c70f37
SHA1

c03525bd823f27a3e2acb8fe95f77d73327aca9d
SHA256

109dab92d97421b95132798bcb3fbd2f0194d52426601fe21f1f1d0e77431bd7
SHA512

7b8213e2fa44edb2e1999b17e199e6f72f048129879d4eb5d1a9d2cb6bf207adc7de9596aa5e6a58a56fa5ad74fe88a8cd7cb79c2176170b7ca061bb2983f61f
SSDEEP

49152:lxJhUIEUjke9UjgcwX4ZKqg2OPf6nAPM0NJ7w4U5i3pMFadI8qKq2LIj680f1ZT4:lZIgUjbwIZzQiA08J7w/i32MC89mj68h

Score

8^/10

bootkit evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4636	powershell.exe
4592	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Executes dropped EXE 1 IoCs

pid	Process
1540	lhhsgwktkatl.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
23	pastebin.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Microsoft_crypt.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4188 set thread context of 2472	4188	Microsoft_crypt.exe	103
PID 1540 set thread context of 812	1540	lhhsgwktkatl.exe	128
PID 1540 set thread context of 3100	1540	lhhsgwktkatl.exe	130
PID 1540 set thread context of 1188	1540	lhhsgwktkatl.exe	133

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1340	sc.exe
1864	sc.exe
3516	sc.exe
3536	sc.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02onbqbirnczfdsj\Provision Monday, May 20, 2024 13:16:12 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAlOhg+TnVyEqnpU7UmankpgAAAAACAAAAAAAQZgAAAAEAACAAAABZYJS1NWXYpLeZ1EC4uh04kLHza9B7S1HtRW1rzXPSdAAAAAAOgAAAAAIAACAAAAAxfOtrcqh4XH4pBtxBvnFuMa7D+H7c1bzsUvPUyMYbHyAAAABObFUBrRNW1/voUmUOfFrjqrpR30PKhs65E7w2braFhEAAAACP+3UoKf94HqMMbn3yMQQWAc9lA8GYsclpeRkGjYBLnesqEwxrrMlc0Gw9qf2QZaUgKiKInMZ2JRxpCa2xF66B"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00D02864F80 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000094e860f939d5c84aa7a54ed499a9e4a600000000020000000000106600000001000020000000feaa26ece0ea68fde1ef274107b514d18232c4fbd47ade8f142a275a56a75eab000000000e8000000002000020000000b7d2162a674b99d24e361f75133f40332b4a8bfbbefb43c19d9e39694c3c932d80000000b5fede53a885fad85ea2fe187c4b4b2b5c80ab6b97fea6f710d73abfd0a476e030c5ac6c467d4d552ab66b291a28465bda2a2ced533acb174caf12bd1629427ff6f0182e5f75888989054309bd1a160e769cfe018e639a7b343ed5c071ef4d6d8e69278ee71c14a39f2747d80bbce7e7b688e144e92c9a0c03f9a4d568dab62740000000d872844fcbc99005f6d0f90811b7e9b40020c342655bef09ea22c0ad105ad32a70ba99903f66406634811f7b0f91c637c9f7687e79e41733c9dbd30b75c7e9b4	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C00D02864F80"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02onbqbirnczfdsj	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4188	Microsoft_crypt.exe
4636	powershell.exe
4636	powershell.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
2472	dialer.exe
2472	dialer.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
4188	Microsoft_crypt.exe
1540	lhhsgwktkatl.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
4592	powershell.exe
4592	powershell.exe
2472	dialer.exe
2472	dialer.exe
4592	powershell.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
4592	powershell.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
4592	powershell.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
4592	powershell.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe
2472	dialer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	2472	dialer.exe
Token: SeShutdownPrivilege	1956	powercfg.exe
Token: SeCreatePagefilePrivilege	1956	powercfg.exe
Token: SeShutdownPrivilege	3560	powercfg.exe
Token: SeCreatePagefilePrivilege	3560	powercfg.exe
Token: SeShutdownPrivilege	3648	powercfg.exe
Token: SeCreatePagefilePrivilege	3648	powercfg.exe
Token: SeShutdownPrivilege	1804	powercfg.exe
Token: SeCreatePagefilePrivilege	1804	powercfg.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeShutdownPrivilege	2248	svchost.exe
Token: SeCreatePagefilePrivilege	2248	svchost.exe
Token: SeShutdownPrivilege	2248	svchost.exe
Token: SeCreatePagefilePrivilege	2248	svchost.exe
Token: SeShutdownPrivilege	2248	svchost.exe
Token: SeCreatePagefilePrivilege	2248	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
432	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 2472	4188	Microsoft_crypt.exe	103
PID 4188 wrote to memory of 2472	4188	Microsoft_crypt.exe	103
PID 4188 wrote to memory of 2472	4188	Microsoft_crypt.exe	103
PID 4188 wrote to memory of 2472	4188	Microsoft_crypt.exe	103
PID 4188 wrote to memory of 2472	4188	Microsoft_crypt.exe	103
PID 4188 wrote to memory of 2472	4188	Microsoft_crypt.exe	103
PID 4188 wrote to memory of 2472	4188	Microsoft_crypt.exe	103
PID 5000 wrote to memory of 3452	5000	cmd.exe	107
PID 5000 wrote to memory of 3452	5000	cmd.exe	107
PID 2472 wrote to memory of 608	2472	dialer.exe	5
PID 2472 wrote to memory of 668	2472	dialer.exe	7
PID 2472 wrote to memory of 952	2472	dialer.exe	12
PID 2472 wrote to memory of 316	2472	dialer.exe	13
PID 2472 wrote to memory of 508	2472	dialer.exe	14
PID 2472 wrote to memory of 432	2472	dialer.exe	15
PID 2472 wrote to memory of 1040	2472	dialer.exe	17
PID 668 wrote to memory of 2764	668	lsass.exe	50
PID 2472 wrote to memory of 1060	2472	dialer.exe	18
PID 2472 wrote to memory of 1104	2472	dialer.exe	19
PID 2472 wrote to memory of 1172	2472	dialer.exe	20
PID 2472 wrote to memory of 1240	2472	dialer.exe	21
PID 2472 wrote to memory of 1252	2472	dialer.exe	22
PID 2472 wrote to memory of 1320	2472	dialer.exe	23
PID 2472 wrote to memory of 1344	2472	dialer.exe	24
PID 2472 wrote to memory of 1400	2472	dialer.exe	25
PID 2472 wrote to memory of 1484	2472	dialer.exe	26
PID 2472 wrote to memory of 1508	2472	dialer.exe	27
PID 2472 wrote to memory of 1568	2472	dialer.exe	28
PID 2472 wrote to memory of 1644	2472	dialer.exe	29
PID 2472 wrote to memory of 1708	2472	dialer.exe	30
PID 2472 wrote to memory of 1728	2472	dialer.exe	31
PID 2472 wrote to memory of 1808	2472	dialer.exe	32
PID 2472 wrote to memory of 1832	2472	dialer.exe	33
PID 2472 wrote to memory of 1904	2472	dialer.exe	34
PID 2472 wrote to memory of 1912	2472	dialer.exe	35
PID 2472 wrote to memory of 1992	2472	dialer.exe	36
PID 2472 wrote to memory of 2008	2472	dialer.exe	37
PID 2472 wrote to memory of 376	2472	dialer.exe	38
PID 2472 wrote to memory of 2068	2472	dialer.exe	40
PID 2472 wrote to memory of 2172	2472	dialer.exe	41
PID 2472 wrote to memory of 2376	2472	dialer.exe	42
PID 2472 wrote to memory of 2404	2472	dialer.exe	43
PID 2472 wrote to memory of 2484	2472	dialer.exe	44
PID 2472 wrote to memory of 2492	2472	dialer.exe	45
PID 2472 wrote to memory of 2520	2472	dialer.exe	46
PID 2472 wrote to memory of 2584	2472	dialer.exe	47
PID 2472 wrote to memory of 2688	2472	dialer.exe	48
PID 2472 wrote to memory of 2740	2472	dialer.exe	49
PID 2472 wrote to memory of 2764	2472	dialer.exe	50
PID 2472 wrote to memory of 2776	2472	dialer.exe	51
PID 2472 wrote to memory of 2788	2472	dialer.exe	52
PID 2472 wrote to memory of 2804	2472	dialer.exe	53
PID 2472 wrote to memory of 3120	2472	dialer.exe	55
PID 2472 wrote to memory of 3132	2472	dialer.exe	56
PID 2472 wrote to memory of 3156	2472	dialer.exe	57
PID 2472 wrote to memory of 3484	2472	dialer.exe	58
PID 2472 wrote to memory of 3692	2472	dialer.exe	59
PID 2472 wrote to memory of 3928	2472	dialer.exe	61
PID 2472 wrote to memory of 3864	2472	dialer.exe	63
PID 2472 wrote to memory of 4320	2472	dialer.exe	65
PID 2472 wrote to memory of 4648	2472	dialer.exe	66
PID 2472 wrote to memory of 5092	2472	dialer.exe	67
PID 2472 wrote to memory of 5096	2472	dialer.exe	68
PID 2472 wrote to memory of 1272	2472	dialer.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of UnmapMainImage
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1172
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2740

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2804

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3452
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "QHRAJGDI"
    3⤵
    - Launches sc.exe
    PID:1340
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3516
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "QHRAJGDI"
    3⤵
    - Launches sc.exe
    PID:1864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3576

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2912

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ffdb24e2e98,0x7ffdb24e2ea4,0x7ffdb24e2eb0
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3228 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3860 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3656 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2560

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1540
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2252
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1928
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2188
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1096
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4612
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:2280
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:568
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:812
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3100
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:1188

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 2d187c5a3a0aa04d4437f1175583a6d6 ckwhhl7jHUu0fjOkTbw4eQ.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:4940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
PID:4748

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:3380

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe

Filesize
2.7MB

MD5
6daeeadf00855bb08838f08c38c70f37

SHA1
c03525bd823f27a3e2acb8fe95f77d73327aca9d

SHA256
109dab92d97421b95132798bcb3fbd2f0194d52426601fe21f1f1d0e77431bd7

SHA512
7b8213e2fa44edb2e1999b17e199e6f72f048129879d4eb5d1a9d2cb6bf207adc7de9596aa5e6a58a56fa5ad74fe88a8cd7cb79c2176170b7ca061bb2983f61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cca5db5649fc1ff8223cd427e1e6ce3c

SHA1
787b5657dddaf9b39a5e510e3a08a70e84b068da

SHA256
2889cdb5e22bdadae54d898d585893e56934ca2e8fe9d159eecc1eb6a99c609e

SHA512
019f83e3d239c68b659dfc5b23fca1d8dc9780b1adaf616363ef34ae5a084b0d3e6b8860c1a533016d485b62fe83d40afcb6311e4f57dac62b0ededa25e4a6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
d48afe7ec61d2b6268d9f2c922c5235c

SHA1
464a09e0ab4781ee300a3ca43abc902b2af3fef1

SHA256
b29993e60569334e6bb23f6d6d67d4abd3369e456df24e48a25eaf364dba8a3f

SHA512
5a73c3ffc67412c319be919941da83778a2f3467502502e16274b6da050862b4337310f7068b1f4da3e69cd71c31c6a663b3910513c6193d67d0abb8cf948e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
612d55ffd400cf4a37e2d2a9c1cf5fac

SHA1
98ccd32446f85792363dfb1587039093e8df0a61

SHA256
16c1f4c8778186fe92a217ed4fca43472cdd661808dd3a46361e509784867af5

SHA512
dca1adc7779fe2bb53af0962cdba60dea7cc3e8780ecfcac9d32d0ce0949d01f030e0b4ee97432efeac16b7cbb88e4ed5e1731baaa6c4dd4242c6c3698c8315a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxx1rrnn.vwv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
659eb5a06cc8b2bed0139507bcec9bd9

SHA1
9d12988e9ba864d0cdd6f4e5b7641e191faea00a

SHA256
b0a0fd56c643940877f9f9ecde3a8f7988dd664ca7274f95d2dde4d1b8f1fdf8

SHA512
e200177732cf61ad33fc30d5011c0a6129b3a7db867f5f62cee869ba2a99b1b10c861a758ef7a84c20dfc33c6dfe489367536d5b9b6709f6ac7d99cdb95bc86b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
efdb8d4ca3e4bd1b743d31e927c3dc9c

SHA1
284d76185d9ccdc4efa9ea833852c131e0540cea

SHA256
90f3ee88c20476316ce0590b2ca55c46b7c08b5a13801ba65dd12d07ffd5067e

SHA512
b27939742801d524b9e9c2d5217b268cde75c8b1196e8d38ae2b2d63c52cbfa1a5f522b5bc38e2c6fbf8d6d2f1bc3e8e5dddb8c159a4a93942cbc83d1dd808cb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
964a1c2c1eef283663bd86adf491da74

SHA1
78aa0b6c87fe6a41fd2d678cca39f843884f1044

SHA256
8d48b732a2360711af5c7d4f2b790872e47eda8df77b927d0abf07aaf971b70b

SHA512
a84cf977380e124f28b39de933de3fd77a31a7523bfce85a84263686681f3d25ece4d2218d2188e899180c8fb77586032107f1792d356af813d06c95984b38da

Download Submit
memory/316-45-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/316-43-0x0000013A88950000-0x0000013A8897B000-memory.dmp

Filesize
172KB

Download
memory/608-32-0x000001C651150000-0x000001C651174000-memory.dmp

Filesize
144KB

Download
memory/608-35-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/608-34-0x000001C651180000-0x000001C6511AB000-memory.dmp

Filesize
172KB

Download
memory/668-39-0x00007FFD996D0000-0x00007FFD996E0000-memory.dmp

Filesize
64KB

Download
memory/668-37-0x0000021F9CF70000-0x0000021F9CF9B000-memory.dmp

Filesize
172KB

Download
memory/2472-24-0x00007FFDD9650000-0x00007FFDD9845000-memory.dmp

Filesize
2.0MB

Download
memory/2472-25-0x00007FFDD81D0000-0x00007FFDD828E000-memory.dmp

Filesize
760KB

Download
memory/2472-18-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2472-21-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2472-19-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2472-20-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2472-27-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2472-23-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4592-313-0x00000292CC270000-0x00000292CC325000-memory.dmp

Filesize
724KB

Download
memory/4592-312-0x00000292CC250000-0x00000292CC26C000-memory.dmp

Filesize
112KB

Download
memory/4592-347-0x00000292CC4D0000-0x00000292CC4EA000-memory.dmp

Filesize
104KB

Download
memory/4592-348-0x00000292CC480000-0x00000292CC488000-memory.dmp

Filesize
32KB

Download
memory/4592-349-0x00000292CC4B0000-0x00000292CC4B6000-memory.dmp

Filesize
24KB

Download
memory/4592-350-0x00000292CC4C0000-0x00000292CC4CA000-memory.dmp

Filesize
40KB

Download
memory/4592-334-0x00000292CC490000-0x00000292CC4AC000-memory.dmp

Filesize
112KB

Download
memory/4592-346-0x00000292CC470000-0x00000292CC47A000-memory.dmp

Filesize
40KB

Download
memory/4592-314-0x00000292CBED0000-0x00000292CBEDA000-memory.dmp

Filesize
40KB

Download
memory/4636-0-0x00007FFDB9663000-0x00007FFDB9665000-memory.dmp

Filesize
8KB

Download
memory/4636-17-0x00007FFDB9660000-0x00007FFDBA121000-memory.dmp

Filesize
10.8MB

Download
memory/4636-14-0x00007FFDB9660000-0x00007FFDBA121000-memory.dmp

Filesize
10.8MB

Download
memory/4636-13-0x00007FFDB9660000-0x00007FFDBA121000-memory.dmp

Filesize
10.8MB

Download
memory/4636-12-0x00007FFDB9660000-0x00007FFDBA121000-memory.dmp

Filesize
10.8MB

Download
memory/4636-11-0x00007FFDB9660000-0x00007FFDBA121000-memory.dmp

Filesize
10.8MB

Download
memory/4636-3-0x00000194F39B0000-0x00000194F39D2000-memory.dmp

Filesize
136KB

Download