dcrat | ad8d4a6b44aa1d12db0966ddcf16e07942efce4e3f7303c0845864f7f18bbc91

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 5 IoCs

pid	Process
1036	MpDefenderCoreService.exe
1536	twain32.exe
1496	updater.exe
3040	MsServerHost.exe
2156	smss.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1504	NerestPCFree 0.31.1.exe
1504	NerestPCFree 0.31.1.exe
292	taskeng.exe
1876	cmd.exe
1876	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\security\\services.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\FAX\\WmiPrvSE.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\ShellNew\\smss.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\ShellNew\\smss.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\FAX\\WmiPrvSE.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\security\\services.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2996	cmd.exe
1520	powercfg.exe
1276	powercfg.exe
2836	powercfg.exe
1472	powercfg.exe
2560	powercfg.exe
556	powercfg.exe
1612	cmd.exe
668	powercfg.exe
1292	powercfg.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File created	\??\c:\Windows\System32\CSC7D2F785B976C42AAA316FD7FCBF052.TMP	csc.exe
File created	C:\Windows\System32\Tasks\smsss	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\System32\Tasks\WmiPrvSEW	svchost.exe
File created	C:\Windows\System32\Tasks\servicess	svchost.exe
File created	C:\Windows\System32\Tasks\audiodg	svchost.exe
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe
File created	C:\Windows\System32\Tasks\smss	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\smss	svchost.exe
File created	C:\Windows\System32\Tasks\audiodga	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\System32\Tasks\WmiPrvSE	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\servicess	svchost.exe
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSE	svchost.exe
File created	C:\Windows\System32\Tasks\services	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Tasks\audiodg	svchost.exe
File created	C:\Windows\System32\Tasks\MsServerHost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MsServerHost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\audiodga	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MsServerHostM	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSEW	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\smsss	svchost.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\System32\Tasks\MsServerHostM	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 2692	1536	twain32.exe	44
PID 1496 set thread context of 316	1496	updater.exe	69
PID 1496 set thread context of 2544	1496	updater.exe	76
PID 1496 set thread context of 1252	1496	updater.exe	77

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\WmiPrvSE.exe	MsServerHost.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\24dbde2999530e	MsServerHost.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Uninstall Information\smss.exe	MsServerHost.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	MsServerHost.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\security\services.exe	MsServerHost.exe
File created	C:\Windows\ShellNew\smss.exe	MsServerHost.exe
File created	C:\Windows\ShellNew\69ddcba757bf72	MsServerHost.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\security\services.exe	MsServerHost.exe
File created	C:\Windows\security\c5b4cb5e9653cc	MsServerHost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2272	sc.exe
2476	sc.exe
2852	sc.exe
2240	sc.exe
2552	sc.exe
2896	sc.exe
2972	sc.exe
596	sc.exe
1936	sc.exe
3060	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NerestPCFree 0.31.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreService.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1712	PING.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0eacdbf494edb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1748	schtasks.exe
1860	schtasks.exe
2368	schtasks.exe
1164	schtasks.exe
424	schtasks.exe
2260	schtasks.exe
1140	schtasks.exe
2364	schtasks.exe
2080	schtasks.exe
1564	schtasks.exe
1604	schtasks.exe
2080	schtasks.exe
2752	schtasks.exe
2924	schtasks.exe
2656	schtasks.exe
1752	schtasks.exe
1772	schtasks.exe
2512	schtasks.exe
2276	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	twain32.exe
1536	twain32.exe
2948	powershell.exe
1536	twain32.exe
1536	twain32.exe
1536	twain32.exe
1536	twain32.exe
1536	twain32.exe
1536	twain32.exe
1536	twain32.exe
1536	twain32.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2700	powershell.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
1536	twain32.exe
1536	twain32.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe
2692	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2692	dialer.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeShutdownPrivilege	556	powercfg.exe
Token: SeShutdownPrivilege	1520	powercfg.exe
Token: SeShutdownPrivilege	1276	powercfg.exe
Token: SeShutdownPrivilege	2836	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2856	conhost.exe
1512	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1036	1504	NerestPCFree 0.31.1.exe	30
PID 1504 wrote to memory of 1036	1504	NerestPCFree 0.31.1.exe	30
PID 1504 wrote to memory of 1036	1504	NerestPCFree 0.31.1.exe	30
PID 1504 wrote to memory of 1036	1504	NerestPCFree 0.31.1.exe	30
PID 1504 wrote to memory of 1536	1504	NerestPCFree 0.31.1.exe	31
PID 1504 wrote to memory of 1536	1504	NerestPCFree 0.31.1.exe	31
PID 1504 wrote to memory of 1536	1504	NerestPCFree 0.31.1.exe	31
PID 1504 wrote to memory of 1536	1504	NerestPCFree 0.31.1.exe	31
PID 1036 wrote to memory of 2780	1036	MpDefenderCoreService.exe	32
PID 1036 wrote to memory of 2780	1036	MpDefenderCoreService.exe	32
PID 1036 wrote to memory of 2780	1036	MpDefenderCoreService.exe	32
PID 1036 wrote to memory of 2780	1036	MpDefenderCoreService.exe	32
PID 2360 wrote to memory of 2972	2360	cmd.exe	37
PID 2360 wrote to memory of 2972	2360	cmd.exe	37
PID 2360 wrote to memory of 2972	2360	cmd.exe	37
PID 2360 wrote to memory of 3060	2360	cmd.exe	38
PID 2360 wrote to memory of 3060	2360	cmd.exe	38
PID 2360 wrote to memory of 3060	2360	cmd.exe	38
PID 2360 wrote to memory of 2272	2360	cmd.exe	39
PID 2360 wrote to memory of 2272	2360	cmd.exe	39
PID 2360 wrote to memory of 2272	2360	cmd.exe	39
PID 2360 wrote to memory of 2476	2360	cmd.exe	40
PID 2360 wrote to memory of 2476	2360	cmd.exe	40
PID 2360 wrote to memory of 2476	2360	cmd.exe	40
PID 2360 wrote to memory of 2852	2360	cmd.exe	41
PID 2360 wrote to memory of 2852	2360	cmd.exe	41
PID 2360 wrote to memory of 2852	2360	cmd.exe	41
PID 1536 wrote to memory of 2692	1536	twain32.exe	44
PID 2692 wrote to memory of 432	2692	dialer.exe	5
PID 2692 wrote to memory of 480	2692	dialer.exe	6
PID 2692 wrote to memory of 496	2692	dialer.exe	7
PID 2692 wrote to memory of 504	2692	dialer.exe	8
PID 2692 wrote to memory of 604	2692	dialer.exe	9
PID 2692 wrote to memory of 684	2692	dialer.exe	10
PID 2692 wrote to memory of 752	2692	dialer.exe	11
PID 2692 wrote to memory of 808	2692	dialer.exe	12
PID 2692 wrote to memory of 856	2692	dialer.exe	13
PID 2692 wrote to memory of 964	2692	dialer.exe	15
PID 2692 wrote to memory of 112	2692	dialer.exe	16
PID 2692 wrote to memory of 1020	2692	dialer.exe	17
PID 2692 wrote to memory of 1060	2692	dialer.exe	18
PID 2692 wrote to memory of 1100	2692	dialer.exe	19
PID 2692 wrote to memory of 1168	2692	dialer.exe	20
PID 2692 wrote to memory of 1200	2692	dialer.exe	21
PID 2692 wrote to memory of 1544	2692	dialer.exe	23
PID 2692 wrote to memory of 836	2692	dialer.exe	24
PID 2692 wrote to memory of 2448	2692	dialer.exe	26
PID 2692 wrote to memory of 2056	2692	dialer.exe	27
PID 2692 wrote to memory of 1536	2692	dialer.exe	31
PID 2692 wrote to memory of 2996	2692	dialer.exe	42
PID 2692 wrote to memory of 2960	2692	dialer.exe	43
PID 2692 wrote to memory of 2700	2692	dialer.exe	45
PID 2692 wrote to memory of 2708	2692	dialer.exe	46
PID 2996 wrote to memory of 556	2996	cmd.exe	47
PID 2996 wrote to memory of 556	2996	cmd.exe	47
PID 2996 wrote to memory of 556	2996	cmd.exe	47
PID 2692 wrote to memory of 556	2692	dialer.exe	47
PID 2996 wrote to memory of 1520	2996	cmd.exe	48
PID 2996 wrote to memory of 1520	2996	cmd.exe	48
PID 2996 wrote to memory of 1520	2996	cmd.exe	48
PID 2692 wrote to memory of 1520	2692	dialer.exe	48
PID 2692 wrote to memory of 1520	2692	dialer.exe	48
PID 2700 wrote to memory of 1604	2700	powershell.exe	49
PID 2700 wrote to memory of 1604	2700	powershell.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1544
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks BIOS information in registry
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2116
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\WmiPrvSE.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1748
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\WmiPrvSE.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1860
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\WmiPrvSE.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2368
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\smss.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2752
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2924
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1164
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:424
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1752
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2080
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1772
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1564
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2260
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\security\services.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2656
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\security\services.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1140
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\security\services.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2512
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 5 /tr "'C:\fontwin\MsServerHost.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2276
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2364
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 9 /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2236
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Indicator Removal: Clear Windows Event Logs
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {D6F7DE9C-44A2-4460-BAC8-6EFAF9F8DFE6} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:292
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      PID:1496
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:988
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1020
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1100
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:836
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2448
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2056

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\NerestPC free\NerestPCFree 0.31.1.exe
  "C:\Users\Admin\AppData\Local\Temp\NerestPC free\NerestPCFree 0.31.1.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe
    "C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontwin\rjeG9jpaqkoGYbXQiCixJVHPtViWeFHmB5.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\fontwin\SCfgtLybPKjlpPh39WWFnP7oUkboktfnsRDnMjyFOdFfzldEyFoe.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1876
      - C:\fontwin\MsServerHost.exe
        
        "C:\fontwin/MsServerHost.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuqn5vbi\yuqn5vbi.cmdline"
        7⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162F.tmp" "c:\Windows\System32\CSC7D2F785B976C42AAA316FD7FCBF052.TMP"
        8⤵
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontwin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\MsServerHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jKkZYzVQ86.bat"
        7⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Windows\ShellNew\smss.exe
        
        "C:\Windows\ShellNew\smss.exe"
        8⤵
        Executes dropped EXE
        
        PID:2156
- - C:\Users\Admin\AppData\Local\Temp\twain32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2972
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3060
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2272
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2476
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2852
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1604
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2340
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1344
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2240
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2552
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2896
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:596
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1936
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1472
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:668
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2560
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1292
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2988
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2080
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2544
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1221055517-2055351782-1614951340127003608512537440141364892741-213209618-1511003925"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12877538551741513258186840011-18980561041552295991-1851439976119204996-808245150"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2280248081599670161-4343298021211491651-13160984759117423621851624753-1834149440"
1⤵
PID:2804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "835523354-569751979784133578-113343149-1126385063870397016-1899975981-1320380874"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-576777164366393762779214399748602657166111699813106459201173452456-666023283"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2103982051-1801922608-16175857331568465300-915912905755678840264412723-1830903136"
1⤵
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10218160038322182391695975732-20390870221547766196-3331441591361976274585719027"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1239396195-292214100-454327888-1649475064213913645414500482541752700988-1597111423"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7075722531161000719-82764004-2638859007135210721029075461577017711154112323"
1⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4254076642142352329-2059788238975856282-650389535-16245161831744626369795119788"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5529469832001375000-1967454336-900338911-2031445917-11640724591753841771-1690655872"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15254807391762701935717718781681309016548904411-2070369658-2379999121853867008"
1⤵
PID:1424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5300316512327390671423387919-1115260302-1001528772099008581779508663-1916071747"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "166255556936998823211796972-677799809910178573-743648069998253000-1933472010"
1⤵
PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-140614829511758518511371297343468391883-201018098341853986-1328543991-1843117274"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1449395085525815516-95749627-803988440-139133198-182056308-1251743404267976837"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5799938921689700574-1708673886-423465928-1689122428-2067055528-1567484141922916916"
1⤵
PID:988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "293758439-1847813849-5154985171268627019-416699558-12584129651141116441855938459"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-870525574-124751479-1615527090-2053111270-46508427414226483101845688663-1709857480"
1⤵
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18747285511813282931205373788018886816671512109253-9689879205307529461997099780"
1⤵
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-118212457461466326811933757023672942334501035281643427800737735335-132580235"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "802052171-428321671-1402624478-59831651191409702653328793800052080395487509"
1⤵
PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-972142147-1299365973-8324774791067520330-964933243-1522200409-20754035031328399634"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1666110230117897485781372551206867964817998584295288985354748177261381872544"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-538203700-1082106027-11076830941189196763-19387696825571742021356134668-1238929929"
1⤵
PID:1268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12392308401096181692-458595492-1438931791986032141291546788187999239742813746"
1⤵
PID:2468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-234883349-1810990454-2125757256-1451308057-938294716193499366942492266-1851115633"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-990304876-1552565589341423264804908162-605570241-1447417684-831540551-2020156767"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery