quasar | 6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe

Executes dropped EXE 2 IoCs

pid	Process
3208	kw0hwdcb.cf1.exe
2920	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4000	schtasks.exe
4264	SCHTASKS.exe
2028	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
1868	WerFault.exe
1868	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3600	svchost.exe
3600	svchost.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3600	svchost.exe
3600	svchost.exe
4444	wlrmdr.exe
4444	wlrmdr.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3600	svchost.exe
3600	svchost.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe
3208	kw0hwdcb.cf1.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
8	Process not Found
1212	Process not Found
1944	Process not Found
4028	Process not Found
2664	Process not Found
1428	Process not Found
1936	Process not Found
3460	Process not Found
116	Process not Found
60	Process not Found
656	Process not Found
1232	Process not Found
1276	Process not Found
1260	Process not Found
1444	Process not Found
1352	Process not Found
1368	Process not Found
4844	Process not Found
616	Process not Found
5008	Process not Found
1396	Process not Found
3976	Process not Found
4484	Process not Found
4896	Process not Found
4784	Process not Found
836	Process not Found
844	Process not Found
780	Process not Found
4760	Process not Found
3280	Process not Found
3340	Process not Found
3588	Process not Found
3284	Process not Found
3044	Process not Found
4608	Process not Found
4400	Process not Found
4712	Process not Found
1788	Process not Found
1244	Process not Found
1612	Process not Found
1032	Process not Found
1796	Process not Found
1172	Process not Found
2712	Process not Found
4872	Process not Found
3756	Process not Found
3348	Process not Found
2124	Process not Found
960	Process not Found
4500	Process not Found
4724	Process not Found
1820	Process not Found
2560	Process not Found
3692	Process not Found
3004	Process not Found
1620	Process not Found
2760	Process not Found
4792	Process not Found
620	Process not Found
4176	Process not Found
4964	Process not Found
824	Process not Found
4800	Process not Found
3676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe
Token: SeDebugPrivilege	3208	kw0hwdcb.cf1.exe
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeAuditPrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1768	svchost.exe
Token: SeIncreaseQuotaPrivilege	1768	svchost.exe
Token: SeSecurityPrivilege	1768	svchost.exe
Token: SeTakeOwnershipPrivilege	1768	svchost.exe
Token: SeLoadDriverPrivilege	1768	svchost.exe
Token: SeSystemtimePrivilege	1768	svchost.exe
Token: SeBackupPrivilege	1768	svchost.exe
Token: SeRestorePrivilege	1768	svchost.exe
Token: SeShutdownPrivilege	1768	svchost.exe
Token: SeSystemEnvironmentPrivilege	1768	svchost.exe
Token: SeUndockPrivilege	1768	svchost.exe
Token: SeManageVolumePrivilege	1768	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1768	svchost.exe
Token: SeIncreaseQuotaPrivilege	1768	svchost.exe
Token: SeSecurityPrivilege	1768	svchost.exe
Token: SeTakeOwnershipPrivilege	1768	svchost.exe
Token: SeLoadDriverPrivilege	1768	svchost.exe
Token: SeSystemtimePrivilege	1768	svchost.exe
Token: SeBackupPrivilege	1768	svchost.exe
Token: SeRestorePrivilege	1768	svchost.exe
Token: SeShutdownPrivilege	1768	svchost.exe
Token: SeSystemEnvironmentPrivilege	1768	svchost.exe
Token: SeUndockPrivilege	1768	svchost.exe
Token: SeManageVolumePrivilege	1768	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1768	svchost.exe
Token: SeIncreaseQuotaPrivilege	1768	svchost.exe
Token: SeSecurityPrivilege	1768	svchost.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4444	wlrmdr.exe
3436	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 3208	436	6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe	82
PID 436 wrote to memory of 3208	436	6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe	82
PID 436 wrote to memory of 4264	436	6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe	83
PID 436 wrote to memory of 4264	436	6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe	83
PID 3208 wrote to memory of 612	3208	kw0hwdcb.cf1.exe	5
PID 3208 wrote to memory of 676	3208	kw0hwdcb.cf1.exe	7
PID 3208 wrote to memory of 948	3208	kw0hwdcb.cf1.exe	12
PID 3208 wrote to memory of 64	3208	kw0hwdcb.cf1.exe	13
PID 676 wrote to memory of 2652	676	lsass.exe	46
PID 3208 wrote to memory of 392	3208	kw0hwdcb.cf1.exe	14
PID 3208 wrote to memory of 1036	3208	kw0hwdcb.cf1.exe	15
PID 3208 wrote to memory of 1060	3208	kw0hwdcb.cf1.exe	17
PID 3208 wrote to memory of 1068	3208	kw0hwdcb.cf1.exe	18
PID 3208 wrote to memory of 1184	3208	kw0hwdcb.cf1.exe	19
PID 3208 wrote to memory of 1216	3208	kw0hwdcb.cf1.exe	20
PID 3208 wrote to memory of 1296	3208	kw0hwdcb.cf1.exe	21
PID 3208 wrote to memory of 1304	3208	kw0hwdcb.cf1.exe	22
PID 3208 wrote to memory of 1404	3208	kw0hwdcb.cf1.exe	23
PID 3208 wrote to memory of 1452	3208	kw0hwdcb.cf1.exe	24
PID 3208 wrote to memory of 1464	3208	kw0hwdcb.cf1.exe	25
PID 3208 wrote to memory of 1500	3208	kw0hwdcb.cf1.exe	26
PID 3208 wrote to memory of 1508	3208	kw0hwdcb.cf1.exe	27
PID 3208 wrote to memory of 1652	3208	kw0hwdcb.cf1.exe	28
PID 3208 wrote to memory of 1692	3208	kw0hwdcb.cf1.exe	29
PID 3208 wrote to memory of 1744	3208	kw0hwdcb.cf1.exe	30
PID 3208 wrote to memory of 1808	3208	kw0hwdcb.cf1.exe	31
PID 3208 wrote to memory of 1836	3208	kw0hwdcb.cf1.exe	32
PID 3208 wrote to memory of 1960	3208	kw0hwdcb.cf1.exe	33
PID 3208 wrote to memory of 2040	3208	kw0hwdcb.cf1.exe	34
PID 3208 wrote to memory of 516	3208	kw0hwdcb.cf1.exe	35
PID 3208 wrote to memory of 1768	3208	kw0hwdcb.cf1.exe	36
PID 3208 wrote to memory of 2064	3208	kw0hwdcb.cf1.exe	37
PID 3208 wrote to memory of 2112	3208	kw0hwdcb.cf1.exe	38
PID 3208 wrote to memory of 2224	3208	kw0hwdcb.cf1.exe	40
PID 3208 wrote to memory of 2380	3208	kw0hwdcb.cf1.exe	41
PID 3208 wrote to memory of 2416	3208	kw0hwdcb.cf1.exe	42
PID 3208 wrote to memory of 2420	3208	kw0hwdcb.cf1.exe	43
PID 3208 wrote to memory of 2520	3208	kw0hwdcb.cf1.exe	44
PID 3208 wrote to memory of 2620	3208	kw0hwdcb.cf1.exe	45
PID 3208 wrote to memory of 2652	3208	kw0hwdcb.cf1.exe	46
PID 3208 wrote to memory of 2684	3208	kw0hwdcb.cf1.exe	47
PID 3208 wrote to memory of 2736	3208	kw0hwdcb.cf1.exe	48
PID 3208 wrote to memory of 2968	3208	kw0hwdcb.cf1.exe	49
PID 3208 wrote to memory of 3016	3208	kw0hwdcb.cf1.exe	50
PID 3208 wrote to memory of 3036	3208	kw0hwdcb.cf1.exe	51
PID 3208 wrote to memory of 2700	3208	kw0hwdcb.cf1.exe	52
PID 3208 wrote to memory of 3132	3208	kw0hwdcb.cf1.exe	54
PID 3208 wrote to memory of 3320	3208	kw0hwdcb.cf1.exe	55
PID 3208 wrote to memory of 3436	3208	kw0hwdcb.cf1.exe	56
PID 3208 wrote to memory of 3540	3208	kw0hwdcb.cf1.exe	57
PID 3208 wrote to memory of 3740	3208	kw0hwdcb.cf1.exe	58
PID 3208 wrote to memory of 3952	3208	kw0hwdcb.cf1.exe	60
PID 3208 wrote to memory of 4128	3208	kw0hwdcb.cf1.exe	62
PID 3208 wrote to memory of 2012	3208	kw0hwdcb.cf1.exe	64
PID 3208 wrote to memory of 4776	3208	kw0hwdcb.cf1.exe	66
PID 3208 wrote to memory of 2612	3208	kw0hwdcb.cf1.exe	67
PID 3208 wrote to memory of 4780	3208	kw0hwdcb.cf1.exe	69
PID 3208 wrote to memory of 1552	3208	kw0hwdcb.cf1.exe	70
PID 3208 wrote to memory of 4328	3208	kw0hwdcb.cf1.exe	71
PID 3208 wrote to memory of 1984	3208	kw0hwdcb.cf1.exe	72
PID 3208 wrote to memory of 4972	3208	kw0hwdcb.cf1.exe	73
PID 3208 wrote to memory of 1524	3208	kw0hwdcb.cf1.exe	74
PID 3208 wrote to memory of 400	3208	kw0hwdcb.cf1.exe	76
PID 3208 wrote to memory of 5116	3208	kw0hwdcb.cf1.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 64 -s 3580
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2664
- C:\Windows\system32\wlrmdr.exe
  -s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4444

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 676 -s 2876
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2700
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1464
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3016
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2876
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2196
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5100
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3664
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2736

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3436
- C:\Users\Admin\AppData\Local\Temp\6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe
  "C:\Users\Admin\AppData\Local\Temp\6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\kw0hwdcb.cf1.exe
    "C:\Users\Admin\AppData\Local\Temp\kw0hwdcb.cf1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3208
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4264
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\6cf6ade8237b2c7d401b8aea07fedfa070f2d7fd7e34bde673632fe9250fa9a5N.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2028
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1348
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2028 -s 444
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:4852
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2536
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1552

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4328

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 448 -p 64 -ip 64
  2⤵
  PID:3424
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 476 -p 676 -ip 676
  2⤵
  PID:2536
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 456 -p 2028 -ip 2028
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:112

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bebba0038c55ebd4731134e012f569ff NFgcdZWaBU+iJKTshqZSWA.0.1.0.0.0
1⤵
PID:1864
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1092

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bebba0038c55ebd4731134e012f569ff NFgcdZWaBU+iJKTshqZSWA.0.1.0.0.0
1⤵
PID:1128
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery