asyncrat | 037f1419e6450599732d5bd564cc85d9a807fad7688789a8c5e854df947471b1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	netlimiter-5.3.18.0.exe

Executes dropped EXE 55 IoCs

pid	Process
2728	netlimiter-5.3.18.0.exe
5028	netlimiter-5.3.18.0.exe
3904	0oj3.exe
2184	cmd.exe
5028	cmd.exe
4660	svchost.exe
784	svchost.exe
2356	svchost.exe
3572	cmd.exe
384	dwm.exe
2152	svchost.exe
3332	svchost.exe
964	svchost.exe
2544	svchost.exe
1348	svchost.exe
1544	svchost.exe
4104	svchost.exe
2132	svchost.exe
1332	svchost.exe
1528	svchost.exe
1132	svchost.exe
1720	svchost.exe
1716	spoolsv.exe
724	svchost.exe
912	svchost.exe
2084	svchost.exe
3068	unsecapp.exe
1884	svchost.exe
616	winlogon.exe
2864	svchost.exe
1080	svchost.exe
3440	svchost.exe
1664	svchost.exe
1064	svchost.exe
1248	svchost.exe
1048	svchost.exe
2032	svchost.exe
3596	SppExtComObj.exe
1040	svchost.exe
1236	svchost.exe
700	TextInputHost.exe
2564	sysmon.exe
2808	sihost.exe
1428	svchost.exe
404	svchost.exe
2000	svchost.exe
2984	taskhostw.exe
1604	svchost.exe
2588	svchost.exe
1404	svchost.exe
2580	svchost.exe
3564	svchost.exe
2372	svchost.exe
1188	svchost.exe
1776	svchost.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 59 IoCs

pid	Process
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2728	netlimiter-5.3.18.0.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
3528	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
2832	MsiExec.exe
3528	MsiExec.exe
3528	MsiExec.exe
2832	MsiExec.exe
2916	MsiExec.exe
3904	0oj3.exe
3904	0oj3.exe
3904	0oj3.exe
3904	0oj3.exe
2184	cmd.exe
2184	cmd.exe
2184	cmd.exe
2184	cmd.exe
3728	svchost.exe
2252	TiWorker.exe
3932	wmiprvse.exe
4112	svchost.exe
5088	svchost.exe
940	vssvc.exe
3908	RuntimeBroker.exe
2480	svchost.exe
1052	svchost.exe
1880	msiexec.exe
3840	StartMenuExperienceHost.exe
3544	OfficeClickToRun.exe
2280	svchost.exe
4808	TrustedInstaller.exe
668	lsass.exe
3416	Explorer.EXE
2612	RuntimeBroker.exe
4176	RuntimeBroker.exe
2904	svchost.exe
2364	svchost.exe
4908	svchost.exe
1836	mousocoreworker.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe\""	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetLimiter = "\"C:\\Program Files\\Locktime Software\\NetLimiter\\nlclientapp.exe\" /minimized"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\O:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\J:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\S:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\V:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\L:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\W:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\K:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\U:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\A:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\J:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\Z:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\B:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\H:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\W:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\Y:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\I:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\Y:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\O:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\U:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\A:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\N:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\P:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\R:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\X:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\T:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\T:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\M:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\X:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\E:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\Z:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\P:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\L:	netlimiter-5.3.18.0.exe
File opened (read-only)	\??\Q:	netlimiter-5.3.18.0.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3904	0oj3.exe
3904	0oj3.exe
2184	cmd.exe
2184	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.Compression.ZipFile.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.InteropServices.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\NLog.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\Microsoft.Win32.TaskScheduler.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Net.WebHeaderCollection.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Reflection.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Threading.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\Microsoft.Bcl.AsyncInterfaces.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Diagnostics.Process.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Net.Primitives.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\netstandard.dll	msiexec.exe
File opened for modification	C:\Program Files\Locktime Software\NetLimiter\	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\Xceed.Wpf.Toolkit.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\NLClientApp.Modules.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.Numerics.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Security.Claims.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Xml.XmlSerializer.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\zh-hans\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\SimpleInjector.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Collections.Concurrent.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Globalization.Calendars.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.FileSystem.Primitives.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.FileSystem.Watcher.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Text.Encoding.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\FamFamFam.Flags.Wpf.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\ports.bin	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Linq.Expressions.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Reflection.Primitives.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Security.Cryptography.X509Certificates.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\NLDiag.exe.config	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.ComponentModel.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Diagnostics.FileVersionInfo.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Globalization.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Resources.Reader.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Text.RegularExpressions.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Xml.XPath.XDocument.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\pl\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.ComponentModel.EventBasedAsync.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Dynamic.Runtime.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.Handles.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\nl\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Console.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\hi\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\tr\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\it\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.MemoryMappedFiles.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\cs\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Threading.Tasks.Parallel.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Reflection.Extensions.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Text.Encoding.Extensions.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\sl\NLClientApp.Core.resources.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Xml.XDocument.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Net.WebSockets.dll	msiexec.exe
File created	C:\Program Files\Locktime Software\NetLimiter\ScottPlot.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28FA.tmp	msiexec.exe
File created	C:\Windows\Installer\e581b34.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5ADFA84B-DFB3-4823-9614-56E005DCE660}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2412.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI288C.tmp	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\Installer\e581b34.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2648.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2649.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\cmd.exe	cmd.exe
File opened for modification	C:\Windows\Installer\MSI4E0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E09.tmp	msiexec.exe
File created	C:\Windows\Installer\{5ADFA84B-DFB3-4823-9614-56E005DCE660}\nl_icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2628.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{5ADFA84B-DFB3-4823-9614-56E005DCE660}\nl_icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CBB.tmp	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4392	sc.exe
2712	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlimiter-5.3.18.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netlimiter-5.3.18.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5028	netlimiter-5.3.18.0.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799818563246976"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799818564340774"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	netlimiter-5.3.18.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	netlimiter-5.3.18.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	netlimiter-5.3.18.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	netlimiter-5.3.18.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	netlimiter-5.3.18.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	netlimiter-5.3.18.0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1880	msiexec.exe
1880	msiexec.exe
3904	0oj3.exe
3904	0oj3.exe
2184	cmd.exe
2184	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe
5028	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2912	7zFM.exe
3416	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2912	7zFM.exe
Token: 35	2912	7zFM.exe
Token: SeSecurityPrivilege	2912	7zFM.exe
Token: SeSecurityPrivilege	1880	msiexec.exe
Token: SeCreateTokenPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeAssignPrimaryTokenPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeLockMemoryPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeIncreaseQuotaPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeMachineAccountPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeTcbPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSecurityPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeTakeOwnershipPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeLoadDriverPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSystemProfilePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSystemtimePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeProfSingleProcessPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeIncBasePriorityPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreatePagefilePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreatePermanentPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeBackupPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeRestorePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeShutdownPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeDebugPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeAuditPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSystemEnvironmentPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeChangeNotifyPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeRemoteShutdownPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeUndockPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSyncAgentPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeEnableDelegationPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeManageVolumePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeImpersonatePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreateGlobalPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreateTokenPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeAssignPrimaryTokenPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeLockMemoryPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeIncreaseQuotaPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeMachineAccountPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeTcbPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSecurityPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeTakeOwnershipPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeLoadDriverPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSystemProfilePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSystemtimePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeProfSingleProcessPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeIncBasePriorityPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreatePagefilePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreatePermanentPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeBackupPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeRestorePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeShutdownPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeDebugPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeAuditPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSystemEnvironmentPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeChangeNotifyPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeRemoteShutdownPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeUndockPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeSyncAgentPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeEnableDelegationPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeManageVolumePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeImpersonatePrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreateGlobalPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeCreateTokenPrivilege	2728	netlimiter-5.3.18.0.exe
Token: SeAssignPrimaryTokenPrivilege	2728	netlimiter-5.3.18.0.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2912	7zFM.exe
2912	7zFM.exe
2728	netlimiter-5.3.18.0.exe
2728	netlimiter-5.3.18.0.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3904	0oj3.exe
2184	cmd.exe
3416	Explorer.EXE
3416	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2612	RuntimeBroker.exe
4176	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2916	1880	msiexec.exe	101
PID 1880 wrote to memory of 2916	1880	msiexec.exe	101
PID 1880 wrote to memory of 2916	1880	msiexec.exe	101
PID 2728 wrote to memory of 5028	2728	netlimiter-5.3.18.0.exe	106
PID 2728 wrote to memory of 5028	2728	netlimiter-5.3.18.0.exe	106
PID 2728 wrote to memory of 5028	2728	netlimiter-5.3.18.0.exe	106
PID 1880 wrote to memory of 2948	1880	msiexec.exe	116
PID 1880 wrote to memory of 2948	1880	msiexec.exe	116
PID 1880 wrote to memory of 2832	1880	msiexec.exe	118
PID 1880 wrote to memory of 2832	1880	msiexec.exe	118
PID 1880 wrote to memory of 2832	1880	msiexec.exe	118
PID 1880 wrote to memory of 3528	1880	msiexec.exe	119
PID 1880 wrote to memory of 3528	1880	msiexec.exe	119
PID 1880 wrote to memory of 3528	1880	msiexec.exe	119
PID 3904 wrote to memory of 2184	3904	0oj3.exe	128
PID 3904 wrote to memory of 2184	3904	0oj3.exe	128
PID 2184 wrote to memory of 5028	2184	cmd.exe	130
PID 2184 wrote to memory of 5028	2184	cmd.exe	130
PID 5028 wrote to memory of 1568	5028	cmd.exe	133
PID 5028 wrote to memory of 1568	5028	cmd.exe	133
PID 5028 wrote to memory of 4392	5028	cmd.exe	135
PID 5028 wrote to memory of 4392	5028	cmd.exe	135
PID 1568 wrote to memory of 1004	1568	cmd.exe	136
PID 1568 wrote to memory of 1004	1568	cmd.exe	136
PID 5028 wrote to memory of 2712	5028	cmd.exe	138
PID 5028 wrote to memory of 2712	5028	cmd.exe	138
PID 5028 wrote to memory of 3728	5028	cmd.exe	65
PID 5028 wrote to memory of 4660	5028	cmd.exe	75
PID 5028 wrote to memory of 784	5028	cmd.exe	8
PID 5028 wrote to memory of 2356	5028	cmd.exe	41
PID 5028 wrote to memory of 384	5028	cmd.exe	13
PID 5028 wrote to memory of 2152	5028	cmd.exe	40
PID 5028 wrote to memory of 3332	5028	cmd.exe	55
PID 5028 wrote to memory of 2252	5028	cmd.exe	113
PID 5028 wrote to memory of 3932	5028	cmd.exe	131
PID 5028 wrote to memory of 964	5028	cmd.exe	12
PID 5028 wrote to memory of 4112	5028	cmd.exe	95
PID 5028 wrote to memory of 2544	5028	cmd.exe	45
PID 5028 wrote to memory of 1348	5028	cmd.exe	24
PID 5028 wrote to memory of 1544	5028	cmd.exe	28
PID 5028 wrote to memory of 4104	5028	cmd.exe	66
PID 5028 wrote to memory of 5088	5028	cmd.exe	69
PID 5028 wrote to memory of 2132	5028	cmd.exe	39
PID 5028 wrote to memory of 940	5028	cmd.exe	107
PID 5028 wrote to memory of 1332	5028	cmd.exe	23
PID 5028 wrote to memory of 1528	5028	cmd.exe	27
PID 5028 wrote to memory of 1132	5028	cmd.exe	36
PID 5028 wrote to memory of 1720	5028	cmd.exe	31
PID 5028 wrote to memory of 1716	5028	cmd.exe	37
PID 5028 wrote to memory of 724	5028	cmd.exe	15
PID 5028 wrote to memory of 3908	5028	cmd.exe	60
PID 5028 wrote to memory of 912	5028	cmd.exe	11
PID 5028 wrote to memory of 2480	5028	cmd.exe	44
PID 5028 wrote to memory of 2084	5028	cmd.exe	38
PID 5028 wrote to memory of 3068	5028	cmd.exe	52
PID 5028 wrote to memory of 1884	5028	cmd.exe	33
PID 5028 wrote to memory of 616	5028	cmd.exe	5
PID 5028 wrote to memory of 1052	5028	cmd.exe	17
PID 5028 wrote to memory of 1880	5028	cmd.exe	97
PID 5028 wrote to memory of 2864	5028	cmd.exe	50
PID 5028 wrote to memory of 4736	5028	cmd.exe	73
PID 5028 wrote to memory of 3840	5028	cmd.exe	59
PID 5028 wrote to memory of 3544	5028	cmd.exe	72
PID 5028 wrote to memory of 1080	5028	cmd.exe	19

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:800
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Loads dropped DLL
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
PID:784
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3752
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Loads dropped DLL
  PID:3840
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:3908
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3992
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Suspicious use of UnmapMainImage
  PID:4176
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4736
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Suspicious use of UnmapMainImage
  PID:2612
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:2252
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
  2⤵
  PID:3952
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3932
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1836
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1308

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1052
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  PID:2984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1428
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Loads dropped DLL
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3416
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2912
- C:\Users\Admin\Desktop\netlimiter-5.3.18.0.exe
  "C:\Users\Admin\Desktop\netlimiter-5.3.18.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\Desktop\netlimiter-5.3.18.0.exe
    "C:\Users\Admin\Desktop\netlimiter-5.3.18.0.exe" /i C:\Users\Admin\AppData\Local\Temp\{5ADFA84B-DFB3-4823-9614-56E005DCE660}\5DCE660\netlimiter-5.3.18.0.x64.msi AI_EUIMSI=1 APPDIR="C:\Program Files\Locktime Software\NetLimiter" SECONDSEQUENCE="1" CLIENTPROCESSID="2728" AI_MORE_CMD_LINE=1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    - Modifies system certificate store
    PID:5028
- C:\Users\Admin\Desktop\0oj3.exe
  "C:\Users\Admin\Desktop\0oj3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\Desktop\cmd.exe
    cmd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1004
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" create AutoRunService binPath="C:\Program Files\cmd.exe" type=own start=auto
        5⤵
        Launches sc.exe
        
        PID:4392
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" start AutoRunService
        5⤵
        Launches sc.exe
        
        PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Loads dropped DLL
PID:3728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Executes dropped EXE
PID:3440

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Loads dropped DLL
PID:4112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DD9142DCBEF2402602F7FC279AD6D252 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1F7E08EB59F27F944CFE44F9F81C9DDF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1E7AA229E5D022B958335900AC35436F E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3528

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Loads dropped DLL
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
PID:2280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
- Loads dropped DLL
PID:2904

C:\Program Files\cmd.exe
"C:\Program Files\cmd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery