asyncrat | 037f1419e6450599732d5bd564cc85d9a807fad7688789a8c5e854df947471b1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 61 IoCs

pid	Process
3108	cmd.exe
780	svchost.exe
2436	cmd.exe
2892	svchost.exe
2400	svchost.exe
1124	svchost.exe
2740	svchost.exe
960	svchost.exe
1348	svchost.exe
1544	svchost.exe
948	svchost.exe
2912	svchost.exe
1532	svchost.exe
2120	RuntimeBroker.exe
1920	svchost.exe
2312	svchost.exe
4084	RuntimeBroker.exe
3884	StartMenuExperienceHost.exe
1912	svchost.exe
2108	svchost.exe
3092	svchost.exe
1712	svchost.exe
1312	svchost.exe
2688	svchost.exe
1700	svchost.exe
4260	TextInputHost.exe
516	svchost.exe
3664	svchost.exe
1488	svchost.exe
896	svchost.exe
3060	taskhostw.exe
3556	svchost.exe
2852	sihost.exe
5016	svchost.exe
676	lsass.exe
3432	Explorer.EXE
2640	sysmon.exe
1260	svchost.exe
1456	OfficeClickToRun.exe
1652	svchost.exe
3680	svchost.exe
1684	spoolsv.exe
60	dwm.exe
2620	svchost.exe
3004	unsecapp.exe
1820	svchost.exe
2212	svchost.exe
2408	svchost.exe
3980	SppExtComObj.exe
1972	svchost.exe
1408	svchost.exe
816	svchost.exe
1012	svchost.exe
616	winlogon.exe
1796	svchost.exe
2776	RuntimeBroker.exe
1132	svchost.exe
1980	svchost.exe
3352	svchost.exe
1184	svchost.exe
2168	svchost.exe

Loads dropped DLL 12 IoCs

pid	Process
2360	Conhost.exe
636	sc.exe
5100	TrustedInstaller.exe
3512	svchost.exe
3324	wmiprvse.exe
4892	svchost.exe
1104	svchost.exe
2576	svchost.exe
3840	svchost.exe
4172	mousocoreworker.exe
3948	RuntimeBroker.exe
652	TiWorker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe\""	cmd.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2176	0oj3.exe
2176	0oj3.exe
1792	cmd.exe
1792	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\cmd.exe	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cmd.exe	cmd.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3524	sc.exe
636	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={D750C836-6DA6-467B-A44A-33C88B5171B5}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735507947"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 29 Dec 2024 21:32:30 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799814863717659"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799814865592853"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799815174342260"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799815175436331"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	0oj3.exe
2176	0oj3.exe
1792	cmd.exe
1792	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe
3108	cmd.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2176	0oj3.exe
1792	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3108	cmd.exe
Token: SeDebugPrivilege	3108	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	2212	svchost.exe
Token: SeIncreaseQuotaPrivilege	2212	svchost.exe
Token: SeSecurityPrivilege	2212	svchost.exe
Token: SeTakeOwnershipPrivilege	2212	svchost.exe
Token: SeLoadDriverPrivilege	2212	svchost.exe
Token: SeSystemtimePrivilege	2212	svchost.exe
Token: SeBackupPrivilege	2212	svchost.exe
Token: SeRestorePrivilege	2212	svchost.exe
Token: SeShutdownPrivilege	2212	svchost.exe
Token: SeSystemEnvironmentPrivilege	2212	svchost.exe
Token: SeUndockPrivilege	2212	svchost.exe
Token: SeManageVolumePrivilege	2212	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2212	svchost.exe
Token: SeIncreaseQuotaPrivilege	2212	svchost.exe
Token: SeSecurityPrivilege	2212	svchost.exe
Token: SeTakeOwnershipPrivilege	2212	svchost.exe
Token: SeLoadDriverPrivilege	2212	svchost.exe
Token: SeSystemtimePrivilege	2212	svchost.exe
Token: SeBackupPrivilege	2212	svchost.exe
Token: SeRestorePrivilege	2212	svchost.exe
Token: SeShutdownPrivilege	2212	svchost.exe
Token: SeSystemEnvironmentPrivilege	2212	svchost.exe
Token: SeUndockPrivilege	2212	svchost.exe
Token: SeManageVolumePrivilege	2212	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2212	svchost.exe
Token: SeIncreaseQuotaPrivilege	2212	svchost.exe
Token: SeSecurityPrivilege	2212	svchost.exe
Token: SeTakeOwnershipPrivilege	2212	svchost.exe
Token: SeLoadDriverPrivilege	2212	svchost.exe
Token: SeSystemtimePrivilege	2212	svchost.exe
Token: SeBackupPrivilege	2212	svchost.exe
Token: SeRestorePrivilege	2212	svchost.exe
Token: SeShutdownPrivilege	2212	svchost.exe
Token: SeSystemEnvironmentPrivilege	2212	svchost.exe
Token: SeUndockPrivilege	2212	svchost.exe
Token: SeManageVolumePrivilege	2212	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2212	svchost.exe
Token: SeIncreaseQuotaPrivilege	2212	svchost.exe
Token: SeSecurityPrivilege	2212	svchost.exe
Token: SeTakeOwnershipPrivilege	2212	svchost.exe
Token: SeLoadDriverPrivilege	2212	svchost.exe
Token: SeSystemtimePrivilege	2212	svchost.exe
Token: SeBackupPrivilege	2212	svchost.exe
Token: SeRestorePrivilege	2212	svchost.exe
Token: SeShutdownPrivilege	2212	svchost.exe
Token: SeSystemEnvironmentPrivilege	2212	svchost.exe
Token: SeUndockPrivilege	2212	svchost.exe
Token: SeManageVolumePrivilege	2212	svchost.exe
Token: SeAuditPrivilege	2620	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2212	svchost.exe
Token: SeIncreaseQuotaPrivilege	2212	svchost.exe
Token: SeSecurityPrivilege	2212	svchost.exe
Token: SeTakeOwnershipPrivilege	2212	svchost.exe
Token: SeLoadDriverPrivilege	2212	svchost.exe
Token: SeSystemtimePrivilege	2212	svchost.exe
Token: SeBackupPrivilege	2212	svchost.exe
Token: SeRestorePrivilege	2212	svchost.exe
Token: SeShutdownPrivilege	2212	svchost.exe
Token: SeSystemEnvironmentPrivilege	2212	svchost.exe
Token: SeUndockPrivilege	2212	svchost.exe
Token: SeManageVolumePrivilege	2212	svchost.exe
Token: SeDebugPrivilege	2436	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1792	2176	0oj3.exe	84
PID 2176 wrote to memory of 1792	2176	0oj3.exe	84
PID 1792 wrote to memory of 3108	1792	cmd.exe	96
PID 1792 wrote to memory of 3108	1792	cmd.exe	96
PID 3108 wrote to memory of 4400	3108	cmd.exe	97
PID 3108 wrote to memory of 4400	3108	cmd.exe	97
PID 4400 wrote to memory of 3632	4400	cmd.exe	99
PID 4400 wrote to memory of 3632	4400	cmd.exe	99
PID 3108 wrote to memory of 3524	3108	cmd.exe	100
PID 3108 wrote to memory of 3524	3108	cmd.exe	100
PID 3108 wrote to memory of 636	3108	cmd.exe	102
PID 3108 wrote to memory of 636	3108	cmd.exe	102
PID 3108 wrote to memory of 2360	3108	cmd.exe	103
PID 3108 wrote to memory of 636	3108	cmd.exe	102
PID 3108 wrote to memory of 780	3108	cmd.exe	8
PID 3108 wrote to memory of 2892	3108	cmd.exe	74
PID 3108 wrote to memory of 2400	3108	cmd.exe	42
PID 3108 wrote to memory of 1124	3108	cmd.exe	18
PID 3108 wrote to memory of 2740	3108	cmd.exe	48
PID 3108 wrote to memory of 5100	3108	cmd.exe	90
PID 3108 wrote to memory of 960	3108	cmd.exe	69
PID 3108 wrote to memory of 1348	3108	cmd.exe	23
PID 3108 wrote to memory of 1544	3108	cmd.exe	27
PID 3108 wrote to memory of 4104	3108	cmd.exe	73
PID 3108 wrote to memory of 3512	3108	cmd.exe	87
PID 3108 wrote to memory of 948	3108	cmd.exe	12
PID 3108 wrote to memory of 2912	3108	cmd.exe	50
PID 3108 wrote to memory of 1532	3108	cmd.exe	26
PID 3108 wrote to memory of 2120	3108	cmd.exe	64
PID 3108 wrote to memory of 3324	3108	cmd.exe	89
PID 3108 wrote to memory of 1920	3108	cmd.exe	34
PID 3108 wrote to memory of 2312	3108	cmd.exe	41
PID 3108 wrote to memory of 4084	3108	cmd.exe	62
PID 3108 wrote to memory of 3884	3108	cmd.exe	59
PID 3108 wrote to memory of 4892	3108	cmd.exe	92
PID 3108 wrote to memory of 1912	3108	cmd.exe	33
PID 3108 wrote to memory of 2108	3108	cmd.exe	38
PID 3108 wrote to memory of 3092	3108	cmd.exe	54
PID 3108 wrote to memory of 1712	3108	cmd.exe	30
PID 3108 wrote to memory of 1312	3108	cmd.exe	22
PID 3108 wrote to memory of 2688	3108	cmd.exe	47
PID 3108 wrote to memory of 1700	3108	cmd.exe	29
PID 3108 wrote to memory of 4260	3108	cmd.exe	75
PID 3108 wrote to memory of 516	3108	cmd.exe	14
PID 3108 wrote to memory of 1104	3108	cmd.exe	17
PID 3108 wrote to memory of 3664	3108	cmd.exe	68
PID 3108 wrote to memory of 1488	3108	cmd.exe	25
PID 3108 wrote to memory of 896	3108	cmd.exe	11
PID 3108 wrote to memory of 3060	3108	cmd.exe	53
PID 3108 wrote to memory of 2576	3108	cmd.exe	44
PID 3108 wrote to memory of 3840	3108	cmd.exe	72
PID 3108 wrote to memory of 3556	3108	cmd.exe	57
PID 3108 wrote to memory of 2852	3108	cmd.exe	49
PID 3108 wrote to memory of 5016	3108	cmd.exe	67
PID 3108 wrote to memory of 676	3108	cmd.exe	7
PID 3108 wrote to memory of 3432	3108	cmd.exe	56
PID 3108 wrote to memory of 2640	3108	cmd.exe	46
PID 3108 wrote to memory of 1260	3108	cmd.exe	21
PID 3108 wrote to memory of 1456	3108	cmd.exe	71
PID 3108 wrote to memory of 1652	3108	cmd.exe	28
PID 3108 wrote to memory of 3680	3108	cmd.exe	70
PID 3108 wrote to memory of 1684	3108	cmd.exe	37
PID 3108 wrote to memory of 60	3108	cmd.exe	13
PID 3108 wrote to memory of 2620	3108	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Executes dropped EXE
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Modifies registry class
PID:780
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3756
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:3948
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4032
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4104
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3324
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:4172
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3896
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:652
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4400

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1104
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1408
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:3432
- C:\Users\Admin\AppData\Local\Temp\0oj3.exe
  "C:\Users\Admin\AppData\Local\Temp\0oj3.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3632
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" create AutoRunService binPath="C:\Program Files\cmd.exe" type=own start=auto
        5⤵
        Launches sc.exe
        
        PID:3524
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" start AutoRunService
        5⤵
        Loads dropped DLL
        Launches sc.exe
        
        PID:636
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3680

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Loads dropped DLL
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3512

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Loads dropped DLL
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
PID:4892

C:\Program Files\cmd.exe
"C:\Program Files\cmd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery