xworm | 2daa61ed02cf604312b1d91ba8c161bb31fdff082f849eb4e5c4000d90a40388

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Specter Screen Grabber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Screen graper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Screen grapper.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3008	powershell.exe
4140	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Screen graper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Screen grapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Screen grapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Specter Screen Grabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Specter Screen Grabber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Screen graper.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Specter Screen Grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Screen graper.exe

Executes dropped EXE 3 IoCs

pid	Process
2964	Screen grapper.exe
980	Screen graper.exe
708	nrrnld2l.rio.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3172-10-0x00000000004A0000-0x000000000151A000-memory.dmp	themida
behavioral1/memory/3172-11-0x00000000004A0000-0x000000000151A000-memory.dmp	themida
behavioral1/files/0x00290000000450e4-17.dat	themida
behavioral1/files/0x00280000000450e7-32.dat	themida
behavioral1/memory/3172-49-0x00000000004A0000-0x000000000151A000-memory.dmp	themida
behavioral1/memory/980-54-0x0000000000EF0000-0x0000000001802000-memory.dmp	themida
behavioral1/memory/980-55-0x0000000000EF0000-0x0000000001802000-memory.dmp	themida
behavioral1/memory/2964-341-0x00000000005C0000-0x0000000001448000-memory.dmp	themida
behavioral1/memory/2964-342-0x00000000005C0000-0x0000000001448000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Screen graper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Screen grapper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Specter Screen Grabber.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3172	Specter Screen Grabber.exe
980	Screen graper.exe
2964	Screen grapper.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Specter Screen Grabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Screen graper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Screen grapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733097635"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188010E59E96B6"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00188010E59E96B6"	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 02 Dec 2024 00:00:36 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={48F3852C-80C8-4EFC-8BC2-B3FC8C353B59}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188010E59E96B6 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000acabe8a42aca9c46b5ea29c0326f10e200000000020000000000106600000001000020000000472177ac39fe089b9db38f47091c72812726626cad3ac0eb334fa6971fb33553000000000e80000000020000200000007d2c052a13c3a610306020eee61dbbfd8f0c556e9afed18d1c4c8d83f06633bd80000000c9cb4e8c8c3f5948a0db22f1cc40f0404f56d7aa1027acc351d611de085123973c85f048ed384170692ac89b54d2179e77182c201e6cfed89718a86cc09d85386be4f3fabb7afaa13d00bdddf416b5eb366dae61c037cda57f74903f16bc185bb3175cbfce4d0dbc6b8385043deac23e5fd9d6a23c7e417aea245e33e423484c40000000ff1fdd1f76a303393cd7e2235657a9857f2a7c81cffb39b9df93d844ab365e5c681ea99397fa0951823cbdcc3ddf767c172ac9dc03c75756e93745cdfd1c4ade	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000acabe8a42aca9c46b5ea29c0326f10e200000000020000000000106600000001000020000000347079ca62c55567f62fe071cbcfef94bd203ce25ec52942a6c0da6b861b4f7d000000000e80000000020000200000004babcabcef10ff3e9c89979045bc893d74c9b36f5b53f2252d4c6610e1d18606b0030000012a4266fd74d291ddb00654cecaaa909b162dcbb7379ee49e8aae732d8393e21f81a7fcd925e1c30b06154afefd2a88b3567629440d833c9ab6f6bbf70c0f06863c334af419c0b85d42fc4aa1450d98240725f7b97bba62708ff971ae57a01250cec979009d686d6d3aa56010571a7fa1a74352768cba2206b145d3238342002315a332b094485a791fb3b01e4288265330da41471c287b568c034875806a055d1d6e2be2b3985e1805831788971f1b035f07017249c7f91fc96dd51b496f0e522a03e4d0f65a20c4abae5e1315984375cb7a9b4a0ffa290f2926566c5b33f01a8d6529d7ad3b741601fc4f0b79aaf012c0429d5ab99bec7c778f9d00e0d64437b5f554cbfb659fd05cb40dfbb73b0631f5deafe8b3c288385b79ee6cd36693e7157a9097c7d429e1edf90b1aaa6d498d7137f5ee7b6e3a7ba3beb54698790cc7279b7c74c7536b6bcd2d28af905afd2870635c3566886b514b4d906b74e130e39d45732b9ca5cdcf5906776db38a6f86b92fe3e3e20f3d1f23bd810a97d63e0dd9a3816ad7d5693044e2881f504e923316899ae7c0dade20afa0a2c183e10078f5746d832eba757c7952f14162e79cd048b15c2e0e1edd02f03b6cde624d2f13b098730db368f0eca7fcbb869d7a753d3fa460e09f75cdd3df387e202c977fff1ab63aaf91360e79987507d10b136347a3ae828931b6900fe3507eb83ab3cb3f004795c8889dd069f7aa382c6e01b4cf1ba925ceddec19c9f1d8a0d4df263231e835f7cc5ed8f59cbb6724b24674d66694439f01606dee046769471a6c9450f7cd12ef3dd7b89d453a56fe071b3d2daf84876fa5a269408fb9bc5877fca4b04bf75e216356b397a4bd4fd08d200c1af301a912e29e2ab5bc3eb011bce8017fb778561bc6f19b9310c35a9d378893e0368003c4ad53a94be7c269636bdc90f860dd97f546e8d7b092f892e8a17fbdb26dd90f90e00a718ba9cefb85f9287423e3d6576bc58c979417a302b15dbe43895df7fc036c2bf451791241b5c6e58648a4452c5a204aa9794cc609fedb891d394d3f961573d6fa02b40f3224e76c4d9c63fcefb1dbbd0231e269f7bd0596c3cbbf0440776cbdfb93c781ebf17e857f3639915954540535be8f2a107d5065d434fdaf57ebce01defadb1f19ca0feb81bab63d75e0402cc48957f7f13fc1539fd13a70a6ff78a0ec215eb2f560349bef666b0fc5cba8f0afba0eb2230c92ed2e5ca38e81e0c7aac5308c58864e8047b81a42f958f911afa31ab46a045f32290484e916032b6939319a47ddc93bd169eefccc69d35de112e8aedba434228265aaf04000000058fd40e3b7e8abeadd82d3adaaaefb99f7043cff4d4141b0b27a3e7eefcfcb10a0d16331cb2406cca13a8fd28a50ee81a2cbfc92cb65ba6952f40845d166a30f	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1464	SCHTASKS.exe
1832	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	Specter Screen Grabber.exe
3172	Specter Screen Grabber.exe
980	Screen graper.exe
980	Screen graper.exe
2964	Screen grapper.exe
2964	Screen grapper.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe
708	nrrnld2l.rio.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	Screen graper.exe
Token: SeDebugPrivilege	708	nrrnld2l.rio.exe
Token: SeDebugPrivilege	2964	Screen grapper.exe
Token: SeShutdownPrivilege	4588	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4588	mousocoreworker.exe
Token: SeShutdownPrivilege	4588	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4588	mousocoreworker.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	4588	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4588	mousocoreworker.exe
Token: SeShutdownPrivilege	4080	RuntimeBroker.exe
Token: SeShutdownPrivilege	4080	RuntimeBroker.exe
Token: SeShutdownPrivilege	4588	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	4588	mousocoreworker.exe
Token: SeIncreaseQuotaPrivilege	3008	powershell.exe
Token: SeSecurityPrivilege	3008	powershell.exe
Token: SeTakeOwnershipPrivilege	3008	powershell.exe
Token: SeLoadDriverPrivilege	3008	powershell.exe
Token: SeSystemProfilePrivilege	3008	powershell.exe
Token: SeSystemtimePrivilege	3008	powershell.exe
Token: SeProfSingleProcessPrivilege	3008	powershell.exe
Token: SeIncBasePriorityPrivilege	3008	powershell.exe
Token: SeCreatePagefilePrivilege	3008	powershell.exe
Token: SeBackupPrivilege	3008	powershell.exe
Token: SeRestorePrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeSystemEnvironmentPrivilege	3008	powershell.exe
Token: SeRemoteShutdownPrivilege	3008	powershell.exe
Token: SeUndockPrivilege	3008	powershell.exe
Token: SeManageVolumePrivilege	3008	powershell.exe
Token: 33	3008	powershell.exe
Token: 34	3008	powershell.exe
Token: 35	3008	powershell.exe
Token: 36	3008	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeSecurityPrivilege	2528	svchost.exe
Token: SeTakeOwnershipPrivilege	2528	svchost.exe
Token: SeLoadDriverPrivilege	2528	svchost.exe
Token: SeSystemtimePrivilege	2528	svchost.exe
Token: SeBackupPrivilege	2528	svchost.exe
Token: SeRestorePrivilege	2528	svchost.exe
Token: SeShutdownPrivilege	2528	svchost.exe
Token: SeSystemEnvironmentPrivilege	2528	svchost.exe
Token: SeUndockPrivilege	2528	svchost.exe
Token: SeManageVolumePrivilege	2528	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeSecurityPrivilege	2528	svchost.exe
Token: SeTakeOwnershipPrivilege	2528	svchost.exe
Token: SeLoadDriverPrivilege	2528	svchost.exe
Token: SeSystemtimePrivilege	2528	svchost.exe
Token: SeBackupPrivilege	2528	svchost.exe
Token: SeRestorePrivilege	2528	svchost.exe
Token: SeShutdownPrivilege	2528	svchost.exe
Token: SeSystemEnvironmentPrivilege	2528	svchost.exe
Token: SeUndockPrivilege	2528	svchost.exe
Token: SeManageVolumePrivilege	2528	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeSecurityPrivilege	2528	svchost.exe
Token: SeTakeOwnershipPrivilege	2528	svchost.exe
Token: SeLoadDriverPrivilege	2528	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
232	Conhost.exe
400	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2964	3172	Specter Screen Grabber.exe	87
PID 3172 wrote to memory of 2964	3172	Specter Screen Grabber.exe	87
PID 3172 wrote to memory of 2964	3172	Specter Screen Grabber.exe	87
PID 3172 wrote to memory of 980	3172	Specter Screen Grabber.exe	89
PID 3172 wrote to memory of 980	3172	Specter Screen Grabber.exe	89
PID 3172 wrote to memory of 980	3172	Specter Screen Grabber.exe	89
PID 980 wrote to memory of 708	980	Screen graper.exe	90
PID 980 wrote to memory of 708	980	Screen graper.exe	90
PID 980 wrote to memory of 1464	980	Screen graper.exe	91
PID 980 wrote to memory of 1464	980	Screen graper.exe	91
PID 708 wrote to memory of 624	708	nrrnld2l.rio.exe	5
PID 708 wrote to memory of 676	708	nrrnld2l.rio.exe	7
PID 708 wrote to memory of 956	708	nrrnld2l.rio.exe	12
PID 708 wrote to memory of 324	708	nrrnld2l.rio.exe	13
PID 708 wrote to memory of 408	708	nrrnld2l.rio.exe	14
PID 708 wrote to memory of 476	708	nrrnld2l.rio.exe	15
PID 708 wrote to memory of 876	708	nrrnld2l.rio.exe	16
PID 708 wrote to memory of 1028	708	nrrnld2l.rio.exe	17
PID 708 wrote to memory of 1108	708	nrrnld2l.rio.exe	18
PID 708 wrote to memory of 1180	708	nrrnld2l.rio.exe	19
PID 708 wrote to memory of 1228	708	nrrnld2l.rio.exe	21
PID 708 wrote to memory of 1252	708	nrrnld2l.rio.exe	22
PID 708 wrote to memory of 1260	708	nrrnld2l.rio.exe	23
PID 708 wrote to memory of 1312	708	nrrnld2l.rio.exe	24
PID 708 wrote to memory of 1456	708	nrrnld2l.rio.exe	25
PID 708 wrote to memory of 1508	708	nrrnld2l.rio.exe	26
PID 708 wrote to memory of 1532	708	nrrnld2l.rio.exe	27
PID 708 wrote to memory of 1548	708	nrrnld2l.rio.exe	28
PID 708 wrote to memory of 1592	708	nrrnld2l.rio.exe	29
PID 708 wrote to memory of 1672	708	nrrnld2l.rio.exe	30
PID 708 wrote to memory of 1732	708	nrrnld2l.rio.exe	31
PID 708 wrote to memory of 1860	708	nrrnld2l.rio.exe	32
PID 708 wrote to memory of 1880	708	nrrnld2l.rio.exe	33
PID 708 wrote to memory of 1900	708	nrrnld2l.rio.exe	34
PID 708 wrote to memory of 1908	708	nrrnld2l.rio.exe	35
PID 708 wrote to memory of 1920	708	nrrnld2l.rio.exe	36
PID 708 wrote to memory of 1984	708	nrrnld2l.rio.exe	37
PID 708 wrote to memory of 2076	708	nrrnld2l.rio.exe	38
PID 708 wrote to memory of 2260	708	nrrnld2l.rio.exe	40
PID 708 wrote to memory of 2280	708	nrrnld2l.rio.exe	41
PID 708 wrote to memory of 2528	708	nrrnld2l.rio.exe	42
PID 708 wrote to memory of 2552	708	nrrnld2l.rio.exe	43
PID 708 wrote to memory of 2560	708	nrrnld2l.rio.exe	44
PID 708 wrote to memory of 2568	708	nrrnld2l.rio.exe	45
PID 708 wrote to memory of 2624	708	nrrnld2l.rio.exe	46
PID 708 wrote to memory of 2768	708	nrrnld2l.rio.exe	47
PID 708 wrote to memory of 2800	708	nrrnld2l.rio.exe	48
PID 708 wrote to memory of 2816	708	nrrnld2l.rio.exe	49
PID 708 wrote to memory of 2840	708	nrrnld2l.rio.exe	50
PID 708 wrote to memory of 2868	708	nrrnld2l.rio.exe	51
PID 708 wrote to memory of 2884	708	nrrnld2l.rio.exe	52
PID 708 wrote to memory of 2980	708	nrrnld2l.rio.exe	54
PID 708 wrote to memory of 3080	708	nrrnld2l.rio.exe	55
PID 708 wrote to memory of 3556	708	nrrnld2l.rio.exe	56
PID 708 wrote to memory of 3644	708	nrrnld2l.rio.exe	57
PID 708 wrote to memory of 3748	708	nrrnld2l.rio.exe	58
PID 708 wrote to memory of 4080	708	nrrnld2l.rio.exe	60
PID 708 wrote to memory of 4104	708	nrrnld2l.rio.exe	62
PID 708 wrote to memory of 4336	708	nrrnld2l.rio.exe	63
PID 708 wrote to memory of 4624	708	nrrnld2l.rio.exe	65
PID 708 wrote to memory of 2916	708	nrrnld2l.rio.exe	67
PID 708 wrote to memory of 4572	708	nrrnld2l.rio.exe	68
PID 708 wrote to memory of 1584	708	nrrnld2l.rio.exe	69
PID 708 wrote to memory of 4872	708	nrrnld2l.rio.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:876

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1984

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2816

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2980

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3556

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\Specter Screen Grabber.exe
  "C:\Users\Admin\AppData\Local\Temp\Specter Screen Grabber.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\Screen grapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Screen grapper.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5084
- - C:\Users\Admin\AppData\Local\Temp\Screen graper.exe
    "C:\Users\Admin\AppData\Local\Temp\Screen graper.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\nrrnld2l.rio.exe
      "C:\Users\Admin\AppData\Local\Temp\nrrnld2l.rio.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:708
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "MasonScreen graper.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Screen graper.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1464
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "MasonScreen graper.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Screen graper.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1832
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Screen graper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3008
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:232
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Screen graper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:4140
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4336

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4572

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1584

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4728

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3536

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 34cda96121fc08612769bea509a8912b jeBx4p2HikmEgec6TMiamw.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:1244
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:1484

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:4904

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4568

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

System Information Discovery