xworm | 2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe

Executes dropped EXE 1 IoCs

pid	Process
752	czjgrzxn.h3j.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={27D6FD15-D07D-4FBB-BD69-05A5882CAEDD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 22 Nov 2024 20:59:04 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732309143"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184010F86B2C47"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1844	SCHTASKS.exe
2456	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
1460	svchost.exe
1460	svchost.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe
752	czjgrzxn.h3j.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3132	Process not Found
748	Process not Found
2492	Process not Found
3468	Process not Found
1532	Process not Found
4780	Process not Found
4896	Process not Found
1220	Process not Found
4032	Process not Found
316	Process not Found
2976	Process not Found
616	Process not Found
2052	Process not Found
4500	Process not Found
3068	Process not Found
2168	Process not Found
3080	Process not Found
4100	Process not Found
5100	Process not Found
2956	Process not Found
812	Process not Found
2844	Process not Found
2264	Process not Found
4264	Process not Found
1296	Process not Found
4332	Process not Found
2192	Process not Found
824	Process not Found
832	Process not Found
792	Process not Found
1340	Process not Found
2808	Process not Found
5108	Process not Found
2036	Process not Found
1960	Process not Found
1004	Process not Found
2196	Process not Found
1712	Process not Found
4804	Process not Found
872	Process not Found
1132	Process not Found
1140	Process not Found
1168	Process not Found
1176	Process not Found
1312	Process not Found
1592	Process not Found
2996	Process not Found
2832	Process not Found
3024	Process not Found
2812	Process not Found
1324	Process not Found
2576	Process not Found
5008	Process not Found
1332	Process not Found
740	Process not Found
3752	Process not Found
3928	Process not Found
4488	Process not Found
2488	Process not Found
1772	Process not Found
1384	Process not Found
4964	Process not Found
2876	Process not Found
3504	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe
Token: SeDebugPrivilege	752	czjgrzxn.h3j.exe
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeAuditPrivilege	2588	svchost.exe
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2404	svchost.exe
Token: SeIncreaseQuotaPrivilege	2404	svchost.exe
Token: SeSecurityPrivilege	2404	svchost.exe
Token: SeTakeOwnershipPrivilege	2404	svchost.exe
Token: SeLoadDriverPrivilege	2404	svchost.exe
Token: SeSystemtimePrivilege	2404	svchost.exe
Token: SeBackupPrivilege	2404	svchost.exe
Token: SeRestorePrivilege	2404	svchost.exe
Token: SeShutdownPrivilege	2404	svchost.exe
Token: SeSystemEnvironmentPrivilege	2404	svchost.exe
Token: SeUndockPrivilege	2404	svchost.exe
Token: SeManageVolumePrivilege	2404	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2404	svchost.exe
Token: SeIncreaseQuotaPrivilege	2404	svchost.exe
Token: SeSecurityPrivilege	2404	svchost.exe
Token: SeTakeOwnershipPrivilege	2404	svchost.exe
Token: SeLoadDriverPrivilege	2404	svchost.exe
Token: SeSystemtimePrivilege	2404	svchost.exe
Token: SeBackupPrivilege	2404	svchost.exe
Token: SeRestorePrivilege	2404	svchost.exe
Token: SeShutdownPrivilege	2404	svchost.exe
Token: SeSystemEnvironmentPrivilege	2404	svchost.exe
Token: SeUndockPrivilege	2404	svchost.exe
Token: SeManageVolumePrivilege	2404	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2404	svchost.exe
Token: SeIncreaseQuotaPrivilege	2404	svchost.exe
Token: SeSecurityPrivilege	2404	svchost.exe
Token: SeTakeOwnershipPrivilege	2404	svchost.exe
Token: SeLoadDriverPrivilege	2404	svchost.exe
Token: SeSystemtimePrivilege	2404	svchost.exe
Token: SeBackupPrivilege	2404	svchost.exe
Token: SeRestorePrivilege	2404	svchost.exe
Token: SeShutdownPrivilege	2404	svchost.exe
Token: SeSystemEnvironmentPrivilege	2404	svchost.exe
Token: SeUndockPrivilege	2404	svchost.exe
Token: SeManageVolumePrivilege	2404	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2404	svchost.exe
Token: SeIncreaseQuotaPrivilege	2404	svchost.exe
Token: SeSecurityPrivilege	2404	svchost.exe
Token: SeTakeOwnershipPrivilege	2404	svchost.exe
Token: SeLoadDriverPrivilege	2404	svchost.exe
Token: SeSystemtimePrivilege	2404	svchost.exe
Token: SeBackupPrivilege	2404	svchost.exe
Token: SeRestorePrivilege	2404	svchost.exe
Token: SeShutdownPrivilege	2404	svchost.exe
Token: SeSystemEnvironmentPrivilege	2404	svchost.exe
Token: SeUndockPrivilege	2404	svchost.exe
Token: SeManageVolumePrivilege	2404	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2404	svchost.exe
Token: SeIncreaseQuotaPrivilege	2404	svchost.exe
Token: SeSecurityPrivilege	2404	svchost.exe
Token: SeTakeOwnershipPrivilege	2404	svchost.exe
Token: SeLoadDriverPrivilege	2404	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3488	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 752	3580	2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe	82
PID 3580 wrote to memory of 752	3580	2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe	82
PID 3580 wrote to memory of 1844	3580	2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe	83
PID 3580 wrote to memory of 1844	3580	2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe	83
PID 752 wrote to memory of 612	752	czjgrzxn.h3j.exe	5
PID 752 wrote to memory of 676	752	czjgrzxn.h3j.exe	7
PID 752 wrote to memory of 956	752	czjgrzxn.h3j.exe	12
PID 752 wrote to memory of 336	752	czjgrzxn.h3j.exe	13
PID 676 wrote to memory of 2612	676	lsass.exe	46
PID 752 wrote to memory of 744	752	czjgrzxn.h3j.exe	14
PID 752 wrote to memory of 952	752	czjgrzxn.h3j.exe	15
PID 752 wrote to memory of 1068	752	czjgrzxn.h3j.exe	17
PID 752 wrote to memory of 1076	752	czjgrzxn.h3j.exe	18
PID 676 wrote to memory of 2612	676	lsass.exe	46
PID 676 wrote to memory of 2612	676	lsass.exe	46
PID 752 wrote to memory of 1108	752	czjgrzxn.h3j.exe	19
PID 676 wrote to memory of 2612	676	lsass.exe	46
PID 752 wrote to memory of 1200	752	czjgrzxn.h3j.exe	20
PID 676 wrote to memory of 2612	676	lsass.exe	46
PID 752 wrote to memory of 1248	752	czjgrzxn.h3j.exe	21
PID 752 wrote to memory of 1268	752	czjgrzxn.h3j.exe	22
PID 752 wrote to memory of 1316	752	czjgrzxn.h3j.exe	23
PID 752 wrote to memory of 1416	752	czjgrzxn.h3j.exe	24
PID 752 wrote to memory of 1424	752	czjgrzxn.h3j.exe	25
PID 752 wrote to memory of 1448	752	czjgrzxn.h3j.exe	26
PID 752 wrote to memory of 1560	752	czjgrzxn.h3j.exe	27
PID 752 wrote to memory of 1600	752	czjgrzxn.h3j.exe	28
PID 752 wrote to memory of 1652	752	czjgrzxn.h3j.exe	29
PID 752 wrote to memory of 1692	752	czjgrzxn.h3j.exe	30
PID 752 wrote to memory of 1784	752	czjgrzxn.h3j.exe	31
PID 752 wrote to memory of 1828	752	czjgrzxn.h3j.exe	32
PID 752 wrote to memory of 1916	752	czjgrzxn.h3j.exe	33
PID 752 wrote to memory of 1932	752	czjgrzxn.h3j.exe	34
PID 752 wrote to memory of 1940	752	czjgrzxn.h3j.exe	35
PID 752 wrote to memory of 1996	752	czjgrzxn.h3j.exe	36
PID 752 wrote to memory of 1680	752	czjgrzxn.h3j.exe	37
PID 752 wrote to memory of 2112	752	czjgrzxn.h3j.exe	39
PID 752 wrote to memory of 2156	752	czjgrzxn.h3j.exe	40
PID 752 wrote to memory of 2404	752	czjgrzxn.h3j.exe	41
PID 752 wrote to memory of 2432	752	czjgrzxn.h3j.exe	42
PID 752 wrote to memory of 2440	752	czjgrzxn.h3j.exe	43
PID 752 wrote to memory of 2500	752	czjgrzxn.h3j.exe	44
PID 752 wrote to memory of 2588	752	czjgrzxn.h3j.exe	45
PID 752 wrote to memory of 2612	752	czjgrzxn.h3j.exe	46
PID 752 wrote to memory of 2632	752	czjgrzxn.h3j.exe	47
PID 752 wrote to memory of 2644	752	czjgrzxn.h3j.exe	48
PID 752 wrote to memory of 2892	752	czjgrzxn.h3j.exe	49
PID 752 wrote to memory of 2940	752	czjgrzxn.h3j.exe	50
PID 752 wrote to memory of 2968	752	czjgrzxn.h3j.exe	51
PID 752 wrote to memory of 1092	752	czjgrzxn.h3j.exe	52
PID 752 wrote to memory of 3208	752	czjgrzxn.h3j.exe	53
PID 752 wrote to memory of 3376	752	czjgrzxn.h3j.exe	55
PID 752 wrote to memory of 3488	752	czjgrzxn.h3j.exe	56
PID 752 wrote to memory of 3628	752	czjgrzxn.h3j.exe	57
PID 752 wrote to memory of 3820	752	czjgrzxn.h3j.exe	58
PID 752 wrote to memory of 4012	752	czjgrzxn.h3j.exe	60
PID 752 wrote to memory of 2284	752	czjgrzxn.h3j.exe	62
PID 752 wrote to memory of 4940	752	czjgrzxn.h3j.exe	65
PID 752 wrote to memory of 2248	752	czjgrzxn.h3j.exe	67
PID 752 wrote to memory of 3320	752	czjgrzxn.h3j.exe	68
PID 752 wrote to memory of 2032	752	czjgrzxn.h3j.exe	69
PID 752 wrote to memory of 1512	752	czjgrzxn.h3j.exe	70
PID 752 wrote to memory of 2212	752	czjgrzxn.h3j.exe	71
PID 752 wrote to memory of 1852	752	czjgrzxn.h3j.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 336 -s 3544
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2812
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 612 -s 776
  2⤵
  PID:4128

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1068
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:1092
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:1388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1316
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2968
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3728
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3416
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:764
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4376
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4848
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1996

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2644

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3376

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3488
- C:\Users\Admin\AppData\Local\Temp\2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe
  "C:\Users\Admin\AppData\Local\Temp\2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\czjgrzxn.h3j.exe
    "C:\Users\Admin\AppData\Local\Temp\czjgrzxn.h3j.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:752
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1844
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\2712b14698095b857bbfd96d2515b7e67fe54f29766250c56dd0e1d758c00ec2.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3320

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2032

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 608e6e1813538f7f12115e9ec453af9d 9vc6tr1IIUChtGVTGoRN0g.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:3372
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1116

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:5024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:212

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4748

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery