gurcu | 1f0a70334fb3a63b9c70cdfe01c012829cc380970cd6b12936f22d44e3c0e388

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

svchost.exeWScript.exemain.exeChainComServermonitor.exeUpdate.exes.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ChainComServermonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	s.exe

Executes dropped EXE 10 IoCs

Processes:

s.exemain.exesvchost.execrss.exesetup.execrss.exeChainComServermonitor.exeUpdate.exesppsvc.exeupdater.exe

pid	process
3232	s.exe
1064	main.exe
4548	svchost.exe
3320	crss.exe
4028	setup.exe
2096	crss.exe
5188	ChainComServermonitor.exe
4528	Update.exe
6804	sppsvc.exe
7896	updater.exe

Loads dropped DLL 36 IoCs

Processes:

checker.exemain.execrss.exeUpdate.exe

pid	process
4372	checker.exe
4372	checker.exe
1064	main.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
2096	crss.exe
4528	Update.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ChainComServermonitor.exereg.execrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextInputHost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextInputHost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\Idle.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Recovery\\WindowsRE\\setup.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\козляк = "C:\\ProgramData\\crss.exe"	crss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Application Data\\sppsvc.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Application Data\\sppsvc.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\Idle.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Recovery\\WindowsRE\\setup.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	ChainComServermonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	ChainComServermonitor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

27 raw.githubusercontent.com
84 raw.githubusercontent.com
24 raw.githubusercontent.com
25 raw.githubusercontent.com
26 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
32 api.ipify.org
33 api.ipify.org

flow	ioc
27	raw.githubusercontent.com
84	raw.githubusercontent.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com
26	raw.githubusercontent.com

flow	ioc
19	ip-api.com
32	api.ipify.org
33	api.ipify.org

Drops file in System32 directory 13 IoCs

Processes:

svchost.exeOfficeClickToRun.execsc.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	\??\c:\Windows\System32\CSC2D1A86F26F54872AC892C34AECAA1CD.TMP	csc.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	\??\c:\Windows\System32\xqt5sk.exe	csc.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5804 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

crss.exe

pid process

2096 crss.exe

pid	process
5804	tasklist.exe

pid	process
2096	crss.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

setup.exeupdater.exe

description	pid	process	target process
PID 4028 set thread context of 8068	4028	setup.exe	dialer.exe
PID 7896 set thread context of 8148	7896	updater.exe	dialer.exe
PID 7896 set thread context of 8172	7896	updater.exe	dialer.exe
PID 7896 set thread context of 7788	7896	updater.exe	dialer.exe

Drops file in Program Files directory 4 IoCs

Processes:

setup.exeChainComServermonitor.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe	ChainComServermonitor.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\22eafd247d37c3	ChainComServermonitor.exe
File created	C:\Program Files\ModifiableWindowsApps\System.exe	ChainComServermonitor.exe

Drops file in Windows directory 3 IoCs

Processes:

ChainComServermonitor.exesvchost.exe

description	ioc	process
File created	C:\Windows\appcompat\appraiser\Telemetry\Idle.exe	ChainComServermonitor.exe
File created	C:\Windows\appcompat\appraiser\Telemetry\6ccacd8608530f	ChainComServermonitor.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

7620 sc.exe
7336 sc.exe
7736 sc.exe
5012 sc.exe
8184 sc.exe
8128 sc.exe
8092 sc.exe
1432 sc.exe
8148 sc.exe
8108 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
7620	sc.exe
7336	sc.exe
7736	sc.exe
5012	sc.exe
8184	sc.exe
8128	sc.exe
8092	sc.exe
1432	sc.exe
8148	sc.exe
8108	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\ProgramData\crss.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

s.exesvchost.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

wmiprvse.exeUpdate.exeWerFault.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5628 timeout.exe

pid	process
5628	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

powershell.exeOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 11 Nov 2024 14:58:18 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1CEB11FC-AAA2-4D46-AC7F-70CB91DA5A1F}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1731337096"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 2 IoCs

Processes:

ChainComServermonitor.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	ChainComServermonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

7228 reg.exe

pid	process
7228	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5812	schtasks.exe
5676	schtasks.exe
5948	schtasks.exe
5852	schtasks.exe
5688	schtasks.exe
8000	schtasks.exe
5752	schtasks.exe
800	schtasks.exe
6260	schtasks.exe
6244	schtasks.exe
6060	schtasks.exe
5928	schtasks.exe
5904	schtasks.exe
6228	schtasks.exe
6044	schtasks.exe
5860	schtasks.exe
5704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

main.exeChainComServermonitor.exe

pid	process
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
1064	main.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe
5188	ChainComServermonitor.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3512 Explorer.EXE

pid	process
3512	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

main.exeChainComServermonitor.execrss.exetasklist.exeUpdate.exesppsvc.exepowershell.exedialer.exeExplorer.EXEsvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1064	main.exe
Token: SeDebugPrivilege	5188	ChainComServermonitor.exe
Token: SeDebugPrivilege	2096	crss.exe
Token: SeDebugPrivilege	5804	tasklist.exe
Token: SeDebugPrivilege	4528	Update.exe
Token: SeDebugPrivilege	6804	sppsvc.exe
Token: SeDebugPrivilege	7468	powershell.exe
Token: SeDebugPrivilege	8068	dialer.exe
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeShutdownPrivilege	3512	Explorer.EXE
Token: SeCreatePagefilePrivilege	3512	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeTakeOwnershipPrivilege	1120	svchost.exe
Token: SeLoadDriverPrivilege	1120	svchost.exe
Token: SeSystemtimePrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeShutdownPrivilege	1120	svchost.exe
Token: SeSystemEnvironmentPrivilege	1120	svchost.exe
Token: SeUndockPrivilege	1120	svchost.exe
Token: SeManageVolumePrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeTakeOwnershipPrivilege	1120	svchost.exe
Token: SeLoadDriverPrivilege	1120	svchost.exe
Token: SeSystemtimePrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeShutdownPrivilege	1120	svchost.exe
Token: SeSystemEnvironmentPrivilege	1120	svchost.exe
Token: SeUndockPrivilege	1120	svchost.exe
Token: SeManageVolumePrivilege	1120	svchost.exe
Token: SeAuditPrivilege	2820	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeTakeOwnershipPrivilege	1120	svchost.exe
Token: SeLoadDriverPrivilege	1120	svchost.exe
Token: SeSystemtimePrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeShutdownPrivilege	1120	svchost.exe
Token: SeSystemEnvironmentPrivilege	1120	svchost.exe
Token: SeUndockPrivilege	1120	svchost.exe
Token: SeManageVolumePrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe
Token: SeTakeOwnershipPrivilege	1120	svchost.exe
Token: SeLoadDriverPrivilege	1120	svchost.exe
Token: SeSystemtimePrivilege	1120	svchost.exe
Token: SeBackupPrivilege	1120	svchost.exe
Token: SeRestorePrivilege	1120	svchost.exe
Token: SeShutdownPrivilege	1120	svchost.exe
Token: SeSystemEnvironmentPrivilege	1120	svchost.exe
Token: SeUndockPrivilege	1120	svchost.exe
Token: SeManageVolumePrivilege	1120	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1120	svchost.exe
Token: SeIncreaseQuotaPrivilege	1120	svchost.exe
Token: SeSecurityPrivilege	1120	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

4528 Update.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

3536 RuntimeBroker.exe
3512 Explorer.EXE

pid	process
4528	Update.exe

pid	process
3536	RuntimeBroker.exe
3512	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

checker.exechecker.execmd.exes.exesvchost.execrss.exeWScript.execrss.execmd.exeChainComServermonitor.execsc.execsc.exemain.execmd.execmd.exeUpdate.execmd.execmd.exe

description	pid	process	target process
PID 1796 wrote to memory of 4372	1796	checker.exe	checker.exe
PID 1796 wrote to memory of 4372	1796	checker.exe	checker.exe
PID 4372 wrote to memory of 752	4372	checker.exe	cmd.exe
PID 4372 wrote to memory of 752	4372	checker.exe	cmd.exe
PID 752 wrote to memory of 3232	752	cmd.exe	s.exe
PID 752 wrote to memory of 3232	752	cmd.exe	s.exe
PID 752 wrote to memory of 3232	752	cmd.exe	s.exe
PID 3232 wrote to memory of 1064	3232	s.exe	main.exe
PID 3232 wrote to memory of 1064	3232	s.exe	main.exe
PID 3232 wrote to memory of 4548	3232	s.exe	svchost.exe
PID 3232 wrote to memory of 4548	3232	s.exe	svchost.exe
PID 3232 wrote to memory of 4548	3232	s.exe	svchost.exe
PID 3232 wrote to memory of 3320	3232	s.exe	crss.exe
PID 3232 wrote to memory of 3320	3232	s.exe	crss.exe
PID 3232 wrote to memory of 4028	3232	s.exe	setup.exe
PID 3232 wrote to memory of 4028	3232	s.exe	setup.exe
PID 4548 wrote to memory of 4908	4548	svchost.exe	WScript.exe
PID 4548 wrote to memory of 4908	4548	svchost.exe	WScript.exe
PID 4548 wrote to memory of 4908	4548	svchost.exe	WScript.exe
PID 3320 wrote to memory of 2096	3320	crss.exe	crss.exe
PID 3320 wrote to memory of 2096	3320	crss.exe	crss.exe
PID 4908 wrote to memory of 752	4908	WScript.exe	cmd.exe
PID 4908 wrote to memory of 752	4908	WScript.exe	cmd.exe
PID 4908 wrote to memory of 752	4908	WScript.exe	cmd.exe
PID 2096 wrote to memory of 4944	2096	crss.exe	cmd.exe
PID 2096 wrote to memory of 4944	2096	crss.exe	cmd.exe
PID 752 wrote to memory of 5188	752	cmd.exe	ChainComServermonitor.exe
PID 752 wrote to memory of 5188	752	cmd.exe	ChainComServermonitor.exe
PID 5188 wrote to memory of 6204	5188	ChainComServermonitor.exe	csc.exe
PID 5188 wrote to memory of 6204	5188	ChainComServermonitor.exe	csc.exe
PID 6204 wrote to memory of 6112	6204	csc.exe	cvtres.exe
PID 6204 wrote to memory of 6112	6204	csc.exe	cvtres.exe
PID 5188 wrote to memory of 6152	5188	ChainComServermonitor.exe	csc.exe
PID 5188 wrote to memory of 6152	5188	ChainComServermonitor.exe	csc.exe
PID 6152 wrote to memory of 6004	6152	csc.exe	cvtres.exe
PID 6152 wrote to memory of 6004	6152	csc.exe	cvtres.exe
PID 1064 wrote to memory of 5912	1064	main.exe	cmd.exe
PID 1064 wrote to memory of 5912	1064	main.exe	cmd.exe
PID 5912 wrote to memory of 5804	5912	cmd.exe	tasklist.exe
PID 5912 wrote to memory of 5804	5912	cmd.exe	tasklist.exe
PID 5912 wrote to memory of 5792	5912	cmd.exe	find.exe
PID 5912 wrote to memory of 5792	5912	cmd.exe	find.exe
PID 5912 wrote to memory of 5628	5912	cmd.exe	timeout.exe
PID 5912 wrote to memory of 5628	5912	cmd.exe	timeout.exe
PID 5188 wrote to memory of 5596	5188	ChainComServermonitor.exe	cmd.exe
PID 5188 wrote to memory of 5596	5188	ChainComServermonitor.exe	cmd.exe
PID 5596 wrote to memory of 5540	5596	cmd.exe	chcp.com
PID 5596 wrote to memory of 5540	5596	cmd.exe	chcp.com
PID 5596 wrote to memory of 5520	5596	cmd.exe	w32tm.exe
PID 5596 wrote to memory of 5520	5596	cmd.exe	w32tm.exe
PID 5912 wrote to memory of 4528	5912	cmd.exe	Update.exe
PID 5912 wrote to memory of 4528	5912	cmd.exe	Update.exe
PID 5596 wrote to memory of 6804	5596	cmd.exe	sppsvc.exe
PID 5596 wrote to memory of 6804	5596	cmd.exe	sppsvc.exe
PID 4528 wrote to memory of 6980	4528	Update.exe	cmd.exe
PID 4528 wrote to memory of 6980	4528	Update.exe	cmd.exe
PID 6980 wrote to memory of 7228	6980	cmd.exe	reg.exe
PID 6980 wrote to memory of 7228	6980	cmd.exe	reg.exe
PID 3288 wrote to memory of 8184	3288	cmd.exe	sc.exe
PID 3288 wrote to memory of 8184	3288	cmd.exe	sc.exe
PID 3288 wrote to memory of 8148	3288	cmd.exe	sc.exe
PID 3288 wrote to memory of 8148	3288	cmd.exe	sc.exe
PID 3288 wrote to memory of 8128	3288	cmd.exe	sc.exe
PID 3288 wrote to memory of 8128	3288	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1188
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:7896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1440

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2748

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2904

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3512
- C:\Users\Admin\AppData\Local\Temp\checker.exe
  "C:\Users\Admin\AppData\Local\Temp\checker.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\checker.exe
    "C:\Users\Admin\AppData\Local\Temp\checker.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe -pbeznogym
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAF6A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAF6A.tmp.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5912
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1064"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Windows\system32\find.exe
        
        find ":"
        8⤵
        
        PID:5792
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5628
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:6980
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        10⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:7228
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4528 -s 2856
        9⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1948
      - C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5188
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2ovvggx\s2ovvggx.cmdline"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:6204
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE22.tmp" "c:\ProgramData\CSC731EE69FAFA3469EAF4DF58C5D729646.TMP"
        11⤵
        
        PID:6112
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wcwxeem\5wcwxeem.cmdline"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:6152
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF3B.tmp" "c:\Windows\System32\CSC2D1A86F26F54872AC892C34AECAA1CD.TMP"
        11⤵
        
        PID:6004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ARh7JHHqAE.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5520
        
        C:\Users\Default\Application Data\sppsvc.exe
        
        "C:\Users\Default\Application Data\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6804
      - C:\ProgramData\crss.exe
        
        "C:\ProgramData\crss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\ProgramData\crss.exe
        
        "C:\ProgramData\crss.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:4944
      - C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7468
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:8184
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:8148
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8128
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:8108
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:8092
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8068
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8064
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:8000
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:7936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6992
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7556
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7564
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7620
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7336
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1432
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:7736
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5012
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:8148
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:800
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:8172
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:7788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1672

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:828

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1624

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3644

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3540
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:6260
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:6244
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:6228
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:6044
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:6060
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5948
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe'" /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5928
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5904
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5860
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\appraiser\Telemetry\Idle.exe'" /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5852
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\Idle.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5812
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\appraiser\Telemetry\Idle.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5752
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "setups" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\setup.exe'" /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5704
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "setup" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\setup.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5688
- C:\Windows\system32\schtasks.exe
  schtasks.exe /create /tn "setups" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\setup.exe'" /rl HIGHEST /f
  2⤵
  - Process spawned unexpected child process
  - Scheduled Task/Job: Scheduled Task
  PID:5676

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:6516

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:6588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:7760

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:6780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery