asyncrat | 8930244d360f2da7f1b4dad68a59d5d768e78b4256da9751055ee541d45da616

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dosvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\ImagePath = "C:\\Windows\\system32\\svchost.exe -k netsvcs -p"	WaaSMedicAgent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Api-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Api-Updater.exe

Executes dropped EXE 7 IoCs

pid	Process
4512	Api-Updater.exe
3392	Api-loader.exe
1484	Shadow-Spoofer.exe
2100	Api-Injecter.exe
1724	uhmlgtreufhe.exe
5760	Api-Updater.exe
5824	Api-loader.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GsjJjnxnnax	Api-Updater.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	Api-Injecter.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	uhmlgtreufhe.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 4764	2100	Api-Injecter.exe	121
PID 1724 set thread context of 4648	1724	uhmlgtreufhe.exe	149
PID 1724 set thread context of 4352	1724	uhmlgtreufhe.exe	150
PID 1724 set thread context of 1220	1724	uhmlgtreufhe.exe	151

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Api-Injecter.exe	Api-loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3032	sc.exe
220	sc.exe
3172	sc.exe
3716	sc.exe
3676	sc.exe
4848	sc.exe
3728	sc.exe
4768	sc.exe
3728	sc.exe
1912	sc.exe
1580	sc.exe
1732	sc.exe
2328	sc.exe
2432	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shadow-Spoofer.exe

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02skkmmrbqqmyxle\DeviceId = "<Data><User username=\"02SKKMMRBQQMYXLE\"><HardwareInfo BoundTime=\"1733555723\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02cxaobyoycdgrkd\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02skkmmrbqqmyxle	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02skkmmrbqqmyxle\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02skkmmrbqqmyxle\DeviceId = "<Data><User username=\"02SKKMMRBQQMYXLE\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02cxaobyoycdgrkd\Reason = "2147780641"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02cxaobyoycdgrkd	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\ValidDeviceId = "02skkmmrbqqmyxle"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02cxaobyoycdgrkd\Response Saturday, December 07, 2024 07:15:21 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAZFxp3PM/ME2Clk4wiz2krQAAAAACAAAAAAAQZgAAAAEAACAAAADsbC8EHSd92hWNI5MPWCjgwEMA0V5dqCYuNpOXYosYVgAAAAAOgAAAAAIAACAAAABJgsG+yec/ofDukNfb9o63G9e0C6usUgWTUwMXym5eeIAHAAAZi4uFvdMKQDNPqQcF4w4kwpjaH2EMD/EDZrKkdeSvVEK2/VkcSWGuefy2MoOCCT7ed5qk+pEBxBK3PG9BWZH2yU27jYEFRw+6JMNXKcEqkpk0+EovpzKLlWcbRLefEAw9phLbcdpcku5UPduBw5UlcaYGl+leSOB1twg7xXJC3+uOuQf8q0nDNbxfq9cTL42c+ecIlp8thHeXgigEoOVDCmp+CwFSNg+/7rdhjjWiP3os3vzu2WrIirP6nYrRyzr4MWqldDIHu0ORGtsrV//+yslFAy9/TpAUJjj6xbm+2P40Lfn13DB6ynE7r2oU9/Mwb9Lz/foMU/aT/rFDXs6poXRDMCSdQrUYhRlJDTetpfn4nqkSPRB301o+4yXUcCAp60TaRCIhYEGaWZ5LDDJdIKiaCiQ2ycfbnMJ+ndne3vcMpk9jNdaPXFldBnvQOv+HYwyeqkBnq68TbH/TBKwJrxBL6yvcuM9d6mTe3qZM3J3OsCKdJsB/PzP/uH4jRQNpBlUOGTkh+WJMYW1brMEaKOmjGmWBu2ix9p5a6fPXZdP89nQRcbLSPdblpe4G+vshvP4AcTb6TFoa5I0cc4tAqNHzVX3kUC8xyKtLIYEpxZ7fj/SQLBXZaIG/Z40iniDmlk3EjxgaouM8QO1zGOUL9pYePEUV8tknIzBz4DVNrN3ZmxiMq7bpLWzuFF3fP6fQom22muFGfiwgQ09SB+LwA+C5Lr6M16WEy4kBtNWme1csRO9gbdEewcinAwYsa2Svs6SFHsLLlHKhda9CLNv9m+TORwFX7i1G7gE1jTHBW7NJNOObqVydmxFJ0kLAoQ3jq9dek6pboHTlGCe7tdqN/cLCR98coRBMyh2q2UaEVtVCfgUNBNYVE7U1hxfF3mWNUOv/ksiPy+qnsXCtkmqvpTaLUdJ2zmjuQoT6mcmKU1xvCW13zo3eWqQ/gBDXgldt+26o/egNLai8A7c69OT0wSN6YOSlnDSvFFmekY2Eg10pyD/e1vD60yGk4xIi8k7tc8zyCqAu6CM84Ho20jkQtBgFiOGc9FkQ6Ep4vYijDYKbF5lzSwtdxfZ3W3H5yRVIsJAWC40MyhyCaWia1Pgna41325+jdMGqZV9cgT1v4bikO9JOeaz8+sSfHSQzRRWIwgtfxgAHkKeyCETooh56Q25kh5pBRkP7GpavJKVJKT6W8hiaG7xg/NaER9brQ9hZj+5qLGTzohp4eHCS2VfJf1VoTijWvj3PDbPYNGX1l6/ujMLOmjFkJPzgS/OElWqsgVHC8PnO6cZ5CHECdDyutrGjJ5yDQs883wBrrofVNGi4v2F6cXfp67O75SIKNbgHnAfEGRUOI1q0iUMOhYDMXe88wodYUxmcQwGyYaC41sb3qRnJ4Oi3GK6hop+eDARdleWpVeDOd5VSimrKOPpAgRL0Dre7wdF6Qremhnqhe1KKk03aKQR6/WfeYl0qPJCWy36MfKOflZJpQdYv9yeG94P3aPdZebRrz4eOwAkaYGjaLc04CYZumdgdmJpc+YjFmkvfqFAw6HY52pwGtFOHcNmpV3ZJoByPh/rq1YgozUHIKj7sc6eQEtAwQsssgO6vHUBQAmeTh/an9LJcI8VmjFOBwI8uJRRIP4fghJcKCBoHCiolv5DvU95oOY7ZApkN236QLpPDrvITyUu7G9JIYtSwJycJBXxOrqTyOsX0KihB4P/EooY9O0yVAbUy+VRgSeYkKh8hW8zE1GFY99qHd+9MsheUjXpaV/VJZh73HbemwDhMIn9L2l8KmrFDaD2W8zLTu+VW6UxgiAcQ+x2QiXek6cYhxr0czxZ24unys8c0u4ayjtsfffmYdd5V6E6ezTZTwThNNsq4V08Vch5FziWvLO2/7tiVkr+AYpSDy9D1Sw/Yl840jptkcxLGnImJ333Vb9pGoWti5/oydJTkwariAvhIzy4ns6CT88+2lsEC8qcAntP09yAFflHIR9C6XLJDFhYZLxtSz+6gOXs3Rzx6Xfdr8YDxB2T9bYyJT+W/1lgNwnWm37m1baEdH4a7bhwafP6K9/w0lXo9N8BIaRUOfRD++BFHYoFpVxq0Qc9KZZIUKcdIdnMKiNiteJRsnBTPlswRe9JnBgKabBpyuYt8Oxr05vhVos0U0DAVEeEsp5N9FkBWowsc5NTUIGYzjc8PgxkRI6EHyW+aufGjOgozC99DXNtKeGc3bBFdevAQ4Xa0YEmnlMZSzwrzTqO34ma6qAGxyW0AwHJoi1wEA1unJo/XPNP3mqSsegKTG65ogZmx3DPED7LKsqVw6PV3qXjYeCJyYV6+/oGez2KQcTSeD1PZMPRgxCz+ntqKe1z1ehuB/CnU1fNAwh8/V9cxvSU4Hn48i3/LjHSRpypI0h1ZVgSwaHZ+6mhUNqh/8qQrTzQyylXrkxckjZ1xUu2TvjEeNZRA29YD+iRboQQjAF/nc3ksh7/3xnWKBaCcHihS2ra9hnbm7FeUnLKkqNhtY3Gtt3v7nnW7vq+kFFUUOsfTJ611PsTWxl+S8py/nYO7rVkcTrYUo0xTvZLgeVZAAAAAqwOFjVb/sW43Nh5kw1jNPi8e9TDz+EoDP7Ehdwy51wbxvVrNk9lzEOsP9Lq9Yvi7IX/zsHLVrehQ4fvEHtSqYA=="	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02cxaobyoycdgrkd\Request Saturday, December 07, 2024 07:15:21 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAZFxp3PM/ME2Clk4wiz2krQAAAAACAAAAAAAQZgAAAAEAACAAAAC1xmN81PqISK+3eSBdUKvUR4P9gRldQ9qKccaPkN3eIQAAAAAOgAAAAAIAACAAAACdAb52MCqBX2612NVLYKC9e8xUUkVb2vlCN/YkCvhbUbASAAAAB7MnC4hHzfJdhOsd0/kExnMeCJFY4Lho8Z+aeT40NZLJLzycEnHWMSqQ6wrIjcKkQ+cOttjew3VSdku+cYHvQmbDTJTcEGL8B2IuaohNL/I5t8WiZk/W6VdU0tWlkYqVRHzSIodlIJZKEo4skSf9eznPikiDDZ+Y/Nj9BTVfQuYnw6tcO8nPyWuQ3I0uffFQQu9gj0/oxX3RelxCyHLNlMY4c+8juDMuOv2zhi6Dr4crcOIGrS75KDacqVRtxFd8M/UTX0jj72QODifw94eLWBrpgJBXoSykARCYvUQ7EAt04IIUMC2MdcIUcuPMrpPgSOtNeWnTbEzbpXi+B0AMN0qjz1v/hFInsAEcLNbR8kbSRiLCjBE3MNcEBt38cn4SsypUhKAkJTSUNPjqVVsjVVWgK25lBjvacd4uEiFzYZ017+YAgR2TnxJUixmrP5qzrRA3KuEv66GJ0iNTI0DX25kIlfZLjnGcTcotPqyWkVTZRaRTbNDbD63Xt//4uey1jT2wX5hTDK+jMl02IPRCv+f/y2ixaOeks88kWnptiHLA9BqX+6IgYWpVsKmWsA6Ef2nZ48F44qF+2iS/Y2FLJkqMWKqGZ/trOxi8utEA8jlHnXBgjjbRCg3ZS+H4S2/GIcmsF8HazEocoqOFHDsIuFM+k86KLbq/evndLPPJsKIlmqnVUBANTR1y8T1t0u6D4Q47nx5CWsNTUTWST4cPBibyJDrn7sxLz5Fc573Ko7qoZx86cN6yBZnfFKsIgy7VYt0PcayELhuMM8ANWZ0JCqZ0mqeyulOxNC4zWzKE8dvQ4lauTtFRE6ijC3uqvfK26qfBouE2gyHB6pPAzmiL9F5tEgjUpUvwVtIY5s8T1T3I9uEEmXIXv5XxlD08RjTbZKPM+I3mXBzBA0ES44AzMUHHRPQyQmMuT3EXWOh0KuGrHO5h9cyEju7eP7NS+apLVl0wYJ0LPHfCqmVRy0WN4A/tr4rutgYSuze6NDITlrynDYxM+99RFIc3jLxI5KRjS6MJHgWsSPFUomBixaI6neIChRxE8lkjRhSdRFZmxzV4mOp1OzwzKXVTInGjBrTv8YwUtF6Dzu5xbqLApjE30hOHvphUxj/7oQu2pLC3CdFL7vfq3iKRnOH2fhFez1PXNpNEa/KqOsnddrHSSqLGh5EesT3IckGR6hKIcpNh4oxqj9BcttF5kzqm3lgry3bNqxEWEKKWrSkYfZ+LscyS/F3eE+t9UFDO33RSYwahGcRlMVrVBYAQON7wdG1L9aI5L+jqJMiUR+gv4fqF/fCmMP/6lMSLWc1MEygPNb++GG2EVctntrK77rASsQcyYDD0i2Us3sQ7S3XP9z/477xD81LOhEoR8k9zKktanY5xq1j1TVdsg9q96Z84fVIQ/OMwWJgVIhhEDsvQWDoeHEObXTG2QBWlsUCY7DSwG5D05cROHAiKp/cp91e/fm1WnrVa9Rtw7A/p/Rny0FMYSA4AkLJorYv/zfpKtDunK/hwva/Fneckt6tmIrBOgPqVK5w6YQ0iwt6W4B1ImaQTEFq28RRGDI+12l3V2vD/phRARhewD+6+ztNwb+tVcJLcCy+AWGJg90CDazfq/a01a74ORPFP0EIpXBbi/GeU3MPqLcFkOxChze5uA/9VGqavmjfjn/6Prx/BxrC0Ki4XEY2tDA/UgKvHFvVwUe7rYmt4GbQNNNpomc7Z1/5Xgb4kcvsWdt0t7jfyS65fvUVGeVvXAdrriqwUZ88V0R4qRuvnSrUUyyG+X4Hmnqri5YzThIZIf+8EDSFrO+pcs1XrPADJQLxgEVltJwMEBSZNXwAz5EZTFNV+j15Q5JJpfd4w2z9DCaRH+pKMA6FIi1jdLzbfMHAU0FY6pASMHUGFrg9kucFdWZNfhMpDW7HTcwMVadyhCyoCUG9Kih4mZFOKPpejZ7i1Z4v+vcAu2uuuwYNS5w3vrgb1MQ1XQ4CR821Vgde6HrEVUGwyKsQNf45xZvlMgLKPongYvEYcVFqyTtLs4bs0I5CbCXNcZxa5sCd8RVi4T4+MxD+Y9kJSnmgUOmXXkaNLLeOn8aEh6/Tuu2lVDCFScuHA3c/k4cCPPFNQfD+yZlwRn8XROJI4nEiZrAwbdsJBJf8yOlwoqIwe2K++N0As8nuIZdAO5wpw4rg96Dw7eG4YG5LapQ/Q3NByTjb7JTaRbdo2GUtwwXALi4Y2PVbsHMjzGXOIBGTt5mTkM7teg3tt3OF4Mbb/ZYnvuX8o5yHpocWKN730RKhjbs8AIgiwvDa7UgAjujZdZVf56btoi9qGx4TibdulWnDOa1QvXeBKAApGmL1oNrsbpnuK5g9WzAqQhCw6x/deWgDsi0TarNSOVXp6LZwUCrpWgiwQ4Z5pz0A1TICJ88x/2zlTpvN4p6aVeccUK/SmILgJfSDEuAIPc1YmyrEAaUv4y/Mqsay2TAQE3aGNzD7BCNVz3ShsWbfuc8xpK/uAYnhVEgGeBweKQBHH2fhz5faYDeEqFTjfQqXsQV9A7A3KoSFddXp4/5J0kKnI4RS6bOvOBipLZxx7J//XJPN4WBJ07D997uBxoaUzwJgVddrDrxnZaPBBLq7psTxTF0nyAFfXdlWUEmNzzbIOixcPZzGf0B6o+uHCDt+uDLl5y6uzgJuG/BajaqQFvmji+R/Zcaxe1sPXJmcE/Eh62SXk1uYBf481+CH/e1Xcq/+pzggsYowvnFLDlwIprXwTMacHPVHSqaKEk/Vev9eNr3kxNf17p8C73pjp679xs+OZXy9kwWXGF8gAIpNM9nY3jvvZz6ikGekm+W4cchEHCmIDSsHldYk6qvITi6XgmIHDb30FXAXVCTl1i/MO/dwIv0RzdDG74xHKKwOjHRgMMk/c5vJMEEbDoOIxuOc/r7pGA5fxgv/5XhSKvygxZzAR3gLD0PWoO7SCvWPGLiGzXks2VwLADq9FkdKxSwkJLxvGRH9B+pL5tZggFwqksteBVzjXcCo5yUokvD2wUCBup2MT4ZibwNBwr4TqEB+kiVn3l4N3KjDiGf6Vbhu75S22xTZu1JPrPfz/BsICJbeqaTgiF5+Um03WpvPNZ/ZrnvbEeqsWO1qKaEjSMkyxEOxw0gi8ZGPjfEZ+9EE/UxUK4F3pc9eVPV9lKdDX0tl2x66dFzGLE/8TuJ2kYedDiO5ji5ATY7uRHkWMBC77htAGbp5oOH2aBRKIMpRpg5IpF41v4WfQjBniapGVE+d7OlA5Bsv3tbna362BUs34+Epr6E/ymyezs8svo3wp+AykFdeXLibzduO9Wksi0yEOX5mQ4oDmENz4XlhD9UKR/so9TbMhN3ArrO6jPYNC/upc1f0AnaM6CC/khskbAHYYoy1MvTIDLdrXht2Y+yiJwTQPz2eDs36Fm4iqfTEWZZu/vKNs1B4CcCgHQbmIFVnSXRDty3BSWt2lLyckHAdmYPntSupjdhESpbPOKDNdi498JMAMpYGge++4+ofxXl5HyCizUK9QixelxL0UNsK9r9H4+szYcFPqBktU5ZOW8UU0v7AVgq+3yVu6F/2c5dfGGaq3GLkKKx4Nsfy724QNM2o1FFL2C5Vf3YJKH+nzM8z+cH8z1I6z/BXO3Tydhw5uLjzuy83YY5DTfSZkb/mH5+tO8V9tBAtQh9Gdvc9xKaJTFEHEo1zQzr/9u4iiD1CxMV1EG9VStPgQypmBzoM2rAwf7fuQcP5Y083hpAeAgoW2tZiNQ+vwxhkKBnFVQwZBEonvjEb9RM3BbDZ3J+c14GRPS3WY1LLosrfc35avseAUqagJytbEW65jT6ZIHtMnBglQ+edTRDJON5gXeUlHtNi1D8lbq9vyAhPjR1o189bUtbjO7hHfXGtinM28W5PUcDX4x+SMtHejDWDpJB5FZLOZEUg0lMd1i2hGhaZrKKBAJzpv2Gi0xNlelfg69a/Ae8RMpU1JBq/YyOc8GxfRxSgqmejkE1t8APS1LY4F1X//msTNNwa68XmEtK+SO23S6LGVfmA1l2CCLJVup1ONFQPNTHY6WdxTp2OKlpAUS+601ogW1peFcXQ/B1PbtXAdprR3mwqqf9IGa/vYYxFIaZsHJri2wMdAKLpAcKgIkRnZPdh3WsnEuYaVXxpteXyqFDoYEe3c+0mkvUkpvzWhdhiyzsBzWGUY47ZW+cSdNMdl/L2bXhYe8zM58tOE1ddmYlJdPKGv8cBSdld95Cvu7UjrivHgriBoqugl3Fd35ZETla3eDvghZFT1cFyO0ek0K70UF0w7o4a0heqL7+F5IgfxKHUqVEcwqd9qqizkYbdaW5ci1+ZHxpi6pIvl+ARZO+xp6AcVQI1CMPPJZj5B3PkAoPyIzlgOvdDBernoImc+e9gDDFyWVGWLAEvM6U5gCY5vewTGnh5OVvGLh62AM8kU2cpdeFKUyCJ+R9wENjo3C/OOfCRWXkpX4DFI+5kvy+noWSqUxVTRj5tt4Lb04w4d7RUqrZZafXTg0ab28Idz4FGaF+bijWFp0NoRli+M47a7H+PwG42/p/xZV2wQW7envi2lw363nHP5VGGcUjpZWlkoFlY9m3P3/N5AKcvQLGLRQNT7eQQzByTIG+iJADJUFRjMCx7iFGNPFcIAAxyXz4KgSFV3hWFSkq3C95EEbkERXztE6E7UQUvyq1hvyH+45mxfQW4tYUWAokdPUrkO2gbBB6I5p5aoygx8LdD4LvYLXT6bajo3uAJAtVpjooajobccO236/uAGT7BpNBsJjzw2aUv+nxUfIw+41Zoa5y+NkkW/+LtyMVJy5fB5vl6lJ43nkJrOEXFpjvypXGBmyn793QmQpVjN5DPLCiDVJSfjwwbc553l2QVQ0/X0E8dOyVm38/8nlcteI+HGFaXUtrtDSI5AbZq3wljEOAV/XbNmY1tIhUewNpz5/QHG+LgoVlyQ9do9oUypHZ/zYSFMXsKriVHL4GUgUE2cHOW/2AjJCrxB1ac6Z7uyNFDrCcG4N47eeXAcxuLFy0Zar1focrdT+nIoCRID318Q7Is3AJJvOfSqZs2Dvz2zLb/oCtX14Xcj1Ri8gqnuKFk0icfRc7/ERlAw2WhKlWl5wU7ONldPuq3aSrLo0OFIPwIHcsEtKOt4+5wQLv5OuGeaVViHwiwMJGd80vsCuK0sw+KwpVlGc31KmX3mohndMnTbDDdKzyICPMb7/MBtJU/kRgqHILkZPBYfMaCg82rja2l+FOWIjkTnEQHGvkQ2Iyi7EaFAza9lTKr21mkh1U7JzOM3dndMEWiG8boHUPyCu0K6ga4qYSooFg4cXD+GkUV3C8H+syA4RTffc06afKYgoOSMtb8n9uJgYXLFhMTzw/Z56MiY5s0o/7rtLj5oJdHMtx4tBibWvLti1EhTQFODJ7bWG2ZcRaDhtgcFm+RfCLkTIAr6UzyOfIs4LTkdbRBwEJWxWBEfaT5yq3jaUVTGpWnNjg94+fmJn/n76Pll1N9aCwI3v1XcRkXam+AEDEpYLIhfqPBfoLrnX3AaWM+TPavJiofRDhfMV1kIsR0XkaThdlECCBmmxkxOmRGL+cuq5VpIkLw0itMjqye3u1uiopxoX20mDugGKaSiwBAcwtZ0rjrF/FNXaPXzF0K/YeiVbicL0RhHT/PmEmAr8lNh4YxcbeLXcvn4rahQMkVYxsNWyb1DcyEC0rMuH8u196Gn7/tyR8YqGuYjRhnRVA0m6RT0Lepnp+wQitEH1oAQGP+HO9upFCbAtzzdVONvZiFfvB/vfLNewetKPvH6eVX3dIQcRKB305ZWUkoB6yx0O0H4fYi898RYu66yjTYC6+a8dtVeCeSKb7N+YNkzQHCqhat6PdDj07X0V4Giz1PPrAWhxZBeMRw8YO7yXjV3BcO8QPePQJw9GWp66N9ni22GtpZsYt+E4FgR013WowQeKPgbNtIrMEBN88EupbjjJjXAvbLDdqMUnxXMnUfFyNbxQrln28CebNEZVtRQnkm6gLzC0oQdaYfpjsqOlQxd0OPAEBpkeHeyQMPxynO/12kUSXkkG6BEDOBWz2rV1HVat5ZhCdJpnU1RYGKHN3vLOQ7VIHvcXguE/QjJLOZRGJJ/DGMtLQ9cQA1s27fI1fP69OAKPfqEXGUgP0fL6F1u7o1KIIO2JcWwVct3aLhR+pAfexVQ0JwLGL8YVA866AbTE44m4IgrNY79KkOlBP/X9KnmR9JYQNw4XmUcvanTguU/wjaBi7SInN/3lqEy7yWYwKUQMQiBL+5mWdHR2/sShVw0NN4G1LWeOlgZ7A0el97KI6Su2ML5I5zeJePlj8F5pC+EqOW00w1AL6CU5DUboA/9q35W74lMYux8VFf+WS5+lY4IJCWORMsV/Jdjt0AAAAAJfb1FxatNcd4LVzTwESBnB+GE34xLLQo2KLBAoDCwuHgLW6OZyNF6PJrVTPTpBBgECEUN8eCAKZ4mjQC8ztTI"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2652	schtasks.exe
2352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1904	powershell.exe
1904	powershell.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
1484	Shadow-Spoofer.exe
4556	powershell.exe
4556	powershell.exe
3412	powershell.exe
3412	powershell.exe
2892	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3484	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	Api-Updater.exe
Token: SeDebugPrivilege	3392	Api-loader.exe
Token: SeDebugPrivilege	1484	Shadow-Spoofer.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	2100	Api-Injecter.exe
Token: SeDebugPrivilege	4764	dialer.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1724	uhmlgtreufhe.exe
Token: SeDebugPrivilege	4648	dialer.exe
Token: SeLockMemoryPrivilege	1220	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	1684	svchost.exe
Token: SeIncreaseQuotaPrivilege	1684	svchost.exe
Token: SeSecurityPrivilege	1684	svchost.exe
Token: SeTakeOwnershipPrivilege	1684	svchost.exe
Token: SeLoadDriverPrivilege	1684	svchost.exe
Token: SeSystemtimePrivilege	1684	svchost.exe
Token: SeBackupPrivilege	1684	svchost.exe
Token: SeRestorePrivilege	1684	svchost.exe
Token: SeShutdownPrivilege	1684	svchost.exe
Token: SeSystemEnvironmentPrivilege	1684	svchost.exe
Token: SeUndockPrivilege	1684	svchost.exe
Token: SeManageVolumePrivilege	1684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1684	svchost.exe
Token: SeIncreaseQuotaPrivilege	1684	svchost.exe
Token: SeSecurityPrivilege	1684	svchost.exe
Token: SeTakeOwnershipPrivilege	1684	svchost.exe
Token: SeLoadDriverPrivilege	1684	svchost.exe
Token: SeSystemtimePrivilege	1684	svchost.exe
Token: SeBackupPrivilege	1684	svchost.exe
Token: SeRestorePrivilege	1684	svchost.exe
Token: SeShutdownPrivilege	1684	svchost.exe
Token: SeSystemEnvironmentPrivilege	1684	svchost.exe
Token: SeUndockPrivilege	1684	svchost.exe
Token: SeManageVolumePrivilege	1684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1684	svchost.exe
Token: SeIncreaseQuotaPrivilege	1684	svchost.exe
Token: SeSecurityPrivilege	1684	svchost.exe
Token: SeTakeOwnershipPrivilege	1684	svchost.exe
Token: SeLoadDriverPrivilege	1684	svchost.exe
Token: SeSystemtimePrivilege	1684	svchost.exe
Token: SeBackupPrivilege	1684	svchost.exe
Token: SeRestorePrivilege	1684	svchost.exe
Token: SeShutdownPrivilege	1684	svchost.exe
Token: SeSystemEnvironmentPrivilege	1684	svchost.exe
Token: SeUndockPrivilege	1684	svchost.exe
Token: SeManageVolumePrivilege	1684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1684	svchost.exe
Token: SeIncreaseQuotaPrivilege	1684	svchost.exe
Token: SeSecurityPrivilege	1684	svchost.exe
Token: SeTakeOwnershipPrivilege	1684	svchost.exe
Token: SeLoadDriverPrivilege	1684	svchost.exe
Token: SeSystemtimePrivilege	1684	svchost.exe
Token: SeBackupPrivilege	1684	svchost.exe
Token: SeRestorePrivilege	1684	svchost.exe
Token: SeShutdownPrivilege	1684	svchost.exe
Token: SeSystemEnvironmentPrivilege	1684	svchost.exe
Token: SeUndockPrivilege	1684	svchost.exe
Token: SeManageVolumePrivilege	1684	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3484	Explorer.EXE
3484	Explorer.EXE
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe
3756	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4512	Api-Updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4512	3788	Output.exe	82
PID 3788 wrote to memory of 4512	3788	Output.exe	82
PID 3788 wrote to memory of 3392	3788	Output.exe	83
PID 3788 wrote to memory of 3392	3788	Output.exe	83
PID 3788 wrote to memory of 1484	3788	Output.exe	84
PID 3788 wrote to memory of 1484	3788	Output.exe	84
PID 3788 wrote to memory of 1484	3788	Output.exe	84
PID 3392 wrote to memory of 1904	3392	Api-loader.exe	86
PID 3392 wrote to memory of 1904	3392	Api-loader.exe	86
PID 3392 wrote to memory of 4556	3392	Api-loader.exe	88
PID 3392 wrote to memory of 4556	3392	Api-loader.exe	88
PID 3392 wrote to memory of 3412	3392	Api-loader.exe	90
PID 3392 wrote to memory of 3412	3392	Api-loader.exe	90
PID 4512 wrote to memory of 2892	4512	Api-Updater.exe	92
PID 4512 wrote to memory of 2892	4512	Api-Updater.exe	92
PID 3392 wrote to memory of 2652	3392	Api-loader.exe	94
PID 3392 wrote to memory of 2652	3392	Api-loader.exe	94
PID 3392 wrote to memory of 2100	3392	Api-loader.exe	96
PID 3392 wrote to memory of 2100	3392	Api-loader.exe	96
PID 4512 wrote to memory of 1244	4512	Api-Updater.exe	97
PID 4512 wrote to memory of 1244	4512	Api-Updater.exe	97
PID 4512 wrote to memory of 4220	4512	Api-Updater.exe	99
PID 4512 wrote to memory of 4220	4512	Api-Updater.exe	99
PID 4512 wrote to memory of 2352	4512	Api-Updater.exe	101
PID 4512 wrote to memory of 2352	4512	Api-Updater.exe	101
PID 3100 wrote to memory of 844	3100	cmd.exe	114
PID 3100 wrote to memory of 844	3100	cmd.exe	114
PID 2100 wrote to memory of 4764	2100	Api-Injecter.exe	121
PID 2100 wrote to memory of 4764	2100	Api-Injecter.exe	121
PID 2100 wrote to memory of 4764	2100	Api-Injecter.exe	121
PID 2100 wrote to memory of 4764	2100	Api-Injecter.exe	121
PID 2100 wrote to memory of 4764	2100	Api-Injecter.exe	121
PID 2100 wrote to memory of 4764	2100	Api-Injecter.exe	121
PID 2100 wrote to memory of 4764	2100	Api-Injecter.exe	121
PID 4048 wrote to memory of 2240	4048	cmd.exe	134
PID 4048 wrote to memory of 2240	4048	cmd.exe	134
PID 4764 wrote to memory of 616	4764	dialer.exe	5
PID 4764 wrote to memory of 672	4764	dialer.exe	7
PID 4764 wrote to memory of 952	4764	dialer.exe	12
PID 4764 wrote to memory of 316	4764	dialer.exe	13
PID 4764 wrote to memory of 408	4764	dialer.exe	14
PID 4764 wrote to memory of 1044	4764	dialer.exe	16
PID 4764 wrote to memory of 1120	4764	dialer.exe	17
PID 4764 wrote to memory of 1148	4764	dialer.exe	18
PID 4764 wrote to memory of 1160	4764	dialer.exe	19
PID 4764 wrote to memory of 1172	4764	dialer.exe	20
PID 4764 wrote to memory of 1268	4764	dialer.exe	21
PID 4764 wrote to memory of 1332	4764	dialer.exe	22
PID 4764 wrote to memory of 1340	4764	dialer.exe	23
PID 4764 wrote to memory of 1448	4764	dialer.exe	24
PID 4764 wrote to memory of 1468	4764	dialer.exe	25
PID 4764 wrote to memory of 1548	4764	dialer.exe	26
PID 4764 wrote to memory of 1556	4764	dialer.exe	27
PID 4764 wrote to memory of 1660	4764	dialer.exe	28
PID 4764 wrote to memory of 1708	4764	dialer.exe	29
PID 4764 wrote to memory of 1764	4764	dialer.exe	30
PID 4764 wrote to memory of 1772	4764	dialer.exe	31
PID 4764 wrote to memory of 1868	4764	dialer.exe	32
PID 4764 wrote to memory of 1064	4764	dialer.exe	33
PID 4764 wrote to memory of 1416	4764	dialer.exe	34
PID 4764 wrote to memory of 1704	4764	dialer.exe	35
PID 4764 wrote to memory of 1684	4764	dialer.exe	36
PID 4764 wrote to memory of 1796	4764	dialer.exe	37
PID 4764 wrote to memory of 2188	4764	dialer.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2812
- C:\ProgramData\Api-Updater.exe
  C:\ProgramData\Api-Updater.exe
  2⤵
  - Executes dropped EXE
  PID:5760
- C:\ProgramData\Api-loader.exe
  C:\ProgramData\Api-loader.exe
  2⤵
  - Executes dropped EXE
  PID:5824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1796

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2820

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2876

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3384

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3484
- C:\Users\Admin\AppData\Local\Temp\Output.exe
  "C:\Users\Admin\AppData\Local\Temp\Output.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Users\Admin\AppData\Roaming\Api-Updater.exe
    "C:\Users\Admin\AppData\Roaming\Api-Updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-Updater.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Api-Updater.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Api-Updater.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4220
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Api-Updater" /tr "C:\ProgramData\Api-Updater.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2352
- - C:\Users\Admin\AppData\Roaming\Api-loader.exe
    "C:\Users\Admin\AppData\Roaming\Api-loader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Api-loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Api-loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3412
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Api-loader" /tr "C:\ProgramData\Api-loader.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2652
  - - C:\Windows\Api-Injecter.exe
      "C:\Windows\Api-Injecter.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:844
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3032
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3172
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:220
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1732
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2328
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "FHWWYDZV"
        5⤵
        Launches sc.exe
        
        PID:3728
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "FHWWYDZV" binpath= "C:\ProgramData\yuskvchsqzki\uhmlgtreufhe.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:3716
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2432
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "FHWWYDZV"
        5⤵
        Launches sc.exe
        
        PID:4768
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Windows\Api-Injecter.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3180
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2240
- - C:\Users\Admin\AppData\Roaming\Shadow-Spoofer.exe
    "C:\Users\Admin\AppData\Roaming\Shadow-Spoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2304

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2768

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4732

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5020

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:4488

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 2021442d8116d1c4c7714a1aa89aced2 pvvAJQf7pEK69MXKRNBjdA.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:3696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:212

C:\ProgramData\yuskvchsqzki\uhmlgtreufhe.exe
C:\ProgramData\yuskvchsqzki\uhmlgtreufhe.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1724
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2596
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1896
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1912
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1580
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4404
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4352
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1220

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1420

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery