asyncrat | 037f1419e6450599732d5bd564cc85d9a807fad7688789a8c5e854df947471b1

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 62 IoCs

pid	Process
3256	cmd.exe
392	svchost.exe
1572	svchost.exe
3344	Explorer.EXE
4208	cmd.exe
776	taskhostw.exe
1956	svchost.exe
2740	svchost.exe
4512	svchost.exe
3920	RuntimeBroker.exe
1948	svchost.exe
1352	svchost.exe
956	svchost.exe
1940	svchost.exe
1120	svchost.exe
2328	svchost.exe
1736	svchost.exe
2720	svchost.exe
3664	RuntimeBroker.exe
2120	svchost.exe
1656	svchost.exe
1520	svchost.exe
2696	sysmon.exe
2692	svchost.exe
1112	svchost.exe
2884	unsecapp.exe
2092	svchost.exe
1500	OfficeClickToRun.exe
2680	svchost.exe
3856	StartMenuExperienceHost.exe
896	svchost.exe
1288	svchost.exe
1676	svchost.exe
2068	spoolsv.exe
3052	sihost.exe
1660	svchost.exe
672	lsass.exe
2444	svchost.exe
412	svchost.exe
2436	svchost.exe
2628	svchost.exe
3764	SppExtComObj.exe
1244	svchost.exe
2412	TextInputHost.exe
1032	svchost.exe
796	svchost.exe
2204	svchost.exe
1020	dwm.exe
1768	svchost.exe
624	winlogon.exe
4880	svchost.exe
2000	RuntimeBroker.exe
1208	svchost.exe
2188	svchost.exe
3172	svchost.exe
1820	svchost.exe
3564	svchost.exe
2212	svchost.exe
1392	svchost.exe
1584	svchost.exe
992	svchost.exe
3352	svchost.exe

Loads dropped DLL 10 IoCs

pid	Process
1172	svchost.exe
4748	svchost.exe
448	svchost.exe
4460	Conhost.exe
1456	wmiprvse.exe
1304	svchost.exe
4132	TrustedInstaller.exe
1640	mousocoreworker.exe
2008	backgroundTaskHost.exe
1596	TiWorker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe\""	cmd.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1184	0oj3.exe
1184	0oj3.exe
1420	cmd.exe
1420	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\cmd.exe	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\cmd.exe	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2032	sc.exe
3180	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00180012E668CF00"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8EDDE341-6043-44F9-8E11-D9E3F6A00C16}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00180012E668CF00"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 29 Dec 2024 21:53:09 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00180012E668CF00 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8c5ae66c44e0548aebe78fbbf17ad2100000000020000000000106600000001000020000000c768c15ca5c1f0bbe3860cd69bea951242ecb8c1172539e61330928b3be4a17e000000000e80000000020000200000008ebbadf9156c7d68d8a46f11d02bdbf6407179a96e09f5715f5d087f3d22bf6680000000f63e4b0b76e63093804b3956b8f27c674e5bb827341673f15380ca3828c319bbe71a4a576605f72b63949bf5c002baf69938efb80fc9a0591893e2389a837e53c70e080a9f9d0813f6bf4a8e6b48ee1e101354c29d1c5d7fca58f96c1ee44ce250c319cb469a4390ceafadef9ca2db2e684fbef47a597277d2b34c74e0eeffa640000000a4de5413cd7813a71614b79cda222c2a1f2aac7796586af2428c7a19e2e9ffd490c10241ff86064f06c3467b915507ca3a9f289ac36c13d624ce0787f67557a6	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8c5ae66c44e0548aebe78fbbf17ad2100000000020000000000106600000001000020000000c9f1ff74ed30a4cf91f1e7f15821f87be40d7544b238243c2073f0b0898583b2000000000e80000000020000200000006f749d1d22415e3153b4e5bf8736449b9f1bf3afc410a462174f8a6d26208bb1b00300002c45203ed133cb4ca95751659de25a607001a6f1863d36df0e07afbbac25bdb55a48f99bd7f437cd8a0139ea9ee97df66f6a98b7072b955c5c344cc5c7497efe9dd6f32752e03da3833f56e56c27bc8933ffe78b792076d6605db3fc457a13f8ab6b688762439d6edf8c82d4beac3b0893a15c12868b115340f776c66b98d183cc6911c8a46ecd782652574b56e95199d66afdfd808f42b1f385f81d62268d8fd269e9f65746b006e03042079ddef624f9b0068b94daee53ea28e29488074247c871665eb40deff8f34bcd9092ee672a325bb4160664e9c6dc9f39c227b0d9dea035843595337bb59dcc59147a0ed13eb949d8862e857525c74e346899f09879c0b01717659f3e358cf2c07946ba61daeadf4c0147190f01757bbb685d37590d6ab02dd62049df8f513ecc3e7dbaa2213a0bd399a2d269afbf5e8d06d7641507624ffcb22e3e8322fb4caf9e85e161b9dc1080a7a179628083483160c2aedf3ee6bfe413c952bd2dd9a87501ecf7068dedfe5b06b357855029211b03c8036dfb212028149f0490395c75059397a49c577706aef174251e3394579ae30619b4ee162ae418a20102dd644ed0e04879d0e309fec3af7d94e81b16e8263196ecc8b7ebf38c061f434d1cdb5ab66699e44fd02e7036eef94f9c8ba5fb6bab636f46bb027767f6feba4e8aeb56e02bd2bc70f5b7a289d2510535ceb6e389ec51e19d1c2ec791caa0050aad45b9959d6c6a4dec19ef5b5fc441b1dbd9dc77c074a59f993f4a13a5e76528e123654e9479797667d7229b178e7b48186cc5cbc43684144d52661427de66af9dd9efd2c5d403c1cb65b04a1b76365527e3985639ee7c0d38772e780a3e09fa3541d4dc04d5125cc00a435580b429475081dc010ed6d741353cb7ab653e5410d19307a201cdc0e6a240aaec4e472fe383621da9b26d7cb6c96fb55f69e5620cdeadf3b6555ecad08df17b16bcad738ba6c2c761acf88a0cc2355610042f9bac18c234407e754189ed8a08158539c0da5f411c73e84cf3b4f86731f3db12bc424dc6d57793d4498b83a7973d173774a7b0b9999b8a3226b4036d9a52367682cc868548af84b44a417bc0b580cc645d4a859108845b89455f6823c1acf68d730d6e7cda8332cea3246153713958c1da2412c3e9ec46685fbd14e0ffae31c8bf4b79e65eeab2194c05d98a73b54942a4d75bdec0d49a08a19fde6de90c708886a81f70469c38d49a410ba6e07739e0d4c4702d929e2e6d2834f031d2e05a72cb028308bd6e29a2e3802c050c8ea2d4f79624cb8d12b2154ee48883e877b129d10abd5e302037e85f2244400000008b081e7ee20f1968a39c9f114663f7d76b216581f34f41c69989ea0ad56c2d223acf5e53419f63e6f89d0e937f5dfefab1999a7a99e302962862268d29e344e1	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735509186"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799827176198937"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799827176823714"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799827242917647"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799827245105039"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799827173230047"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799827178542618"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	0oj3.exe
1184	0oj3.exe
1420	cmd.exe
1420	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe
3256	cmd.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1184	0oj3.exe
1420	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	cmd.exe
Token: SeDebugPrivilege	3256	cmd.exe
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeShutdownPrivilege	3344	Explorer.EXE
Token: SeCreatePagefilePrivilege	3344	Explorer.EXE
Token: SeTcbPrivilege	796	svchost.exe
Token: SeTcbPrivilege	796	svchost.exe
Token: SeTcbPrivilege	796	svchost.exe
Token: SeTcbPrivilege	796	svchost.exe
Token: SeTcbPrivilege	796	svchost.exe
Token: SeShutdownPrivilege	1304	svchost.exe
Token: SeCreatePagefilePrivilege	1304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2092	svchost.exe
Token: SeIncreaseQuotaPrivilege	2092	svchost.exe
Token: SeSecurityPrivilege	2092	svchost.exe
Token: SeTakeOwnershipPrivilege	2092	svchost.exe
Token: SeLoadDriverPrivilege	2092	svchost.exe
Token: SeSystemtimePrivilege	2092	svchost.exe
Token: SeBackupPrivilege	2092	svchost.exe
Token: SeRestorePrivilege	2092	svchost.exe
Token: SeShutdownPrivilege	2092	svchost.exe
Token: SeSystemEnvironmentPrivilege	2092	svchost.exe
Token: SeUndockPrivilege	2092	svchost.exe
Token: SeManageVolumePrivilege	2092	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2092	svchost.exe
Token: SeIncreaseQuotaPrivilege	2092	svchost.exe
Token: SeSecurityPrivilege	2092	svchost.exe
Token: SeTakeOwnershipPrivilege	2092	svchost.exe
Token: SeLoadDriverPrivilege	2092	svchost.exe
Token: SeSystemtimePrivilege	2092	svchost.exe
Token: SeBackupPrivilege	2092	svchost.exe
Token: SeRestorePrivilege	2092	svchost.exe
Token: SeShutdownPrivilege	2092	svchost.exe
Token: SeSystemEnvironmentPrivilege	2092	svchost.exe
Token: SeUndockPrivilege	2092	svchost.exe
Token: SeManageVolumePrivilege	2092	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2092	svchost.exe
Token: SeIncreaseQuotaPrivilege	2092	svchost.exe
Token: SeSecurityPrivilege	2092	svchost.exe
Token: SeTakeOwnershipPrivilege	2092	svchost.exe
Token: SeLoadDriverPrivilege	2092	svchost.exe
Token: SeSystemtimePrivilege	2092	svchost.exe
Token: SeBackupPrivilege	2092	svchost.exe
Token: SeRestorePrivilege	2092	svchost.exe
Token: SeShutdownPrivilege	2092	svchost.exe
Token: SeSystemEnvironmentPrivilege	2092	svchost.exe
Token: SeUndockPrivilege	2092	svchost.exe
Token: SeManageVolumePrivilege	2092	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2092	svchost.exe
Token: SeIncreaseQuotaPrivilege	2092	svchost.exe
Token: SeSecurityPrivilege	2092	svchost.exe
Token: SeTakeOwnershipPrivilege	2092	svchost.exe
Token: SeLoadDriverPrivilege	2092	svchost.exe
Token: SeSystemtimePrivilege	2092	svchost.exe
Token: SeBackupPrivilege	2092	svchost.exe
Token: SeRestorePrivilege	2092	svchost.exe
Token: SeShutdownPrivilege	2092	svchost.exe
Token: SeSystemEnvironmentPrivilege	2092	svchost.exe
Token: SeUndockPrivilege	2092	svchost.exe
Token: SeManageVolumePrivilege	2092	svchost.exe
Token: SeAuditPrivilege	2680	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1420	1184	0oj3.exe	83
PID 1184 wrote to memory of 1420	1184	0oj3.exe	83
PID 1420 wrote to memory of 3256	1420	cmd.exe	84
PID 1420 wrote to memory of 3256	1420	cmd.exe	84
PID 3256 wrote to memory of 4988	3256	cmd.exe	91
PID 3256 wrote to memory of 4988	3256	cmd.exe	91
PID 4988 wrote to memory of 2564	4988	cmd.exe	93
PID 4988 wrote to memory of 2564	4988	cmd.exe	93
PID 3256 wrote to memory of 2032	3256	cmd.exe	94
PID 3256 wrote to memory of 2032	3256	cmd.exe	94
PID 3256 wrote to memory of 3180	3256	cmd.exe	96
PID 3256 wrote to memory of 3180	3256	cmd.exe	96
PID 3256 wrote to memory of 392	3256	cmd.exe	14
PID 3256 wrote to memory of 1572	3256	cmd.exe	26
PID 3256 wrote to memory of 3344	3256	cmd.exe	55
PID 3256 wrote to memory of 780	3256	cmd.exe	8
PID 3256 wrote to memory of 1172	3256	cmd.exe	19
PID 3256 wrote to memory of 776	3256	cmd.exe	53
PID 3256 wrote to memory of 1956	3256	cmd.exe	35
PID 3256 wrote to memory of 2740	3256	cmd.exe	48
PID 3256 wrote to memory of 4512	3256	cmd.exe	74
PID 3256 wrote to memory of 3920	3256	cmd.exe	60
PID 3256 wrote to memory of 1948	3256	cmd.exe	34
PID 3256 wrote to memory of 1352	3256	cmd.exe	23
PID 3256 wrote to memory of 956	3256	cmd.exe	12
PID 3256 wrote to memory of 1940	3256	cmd.exe	33
PID 3256 wrote to memory of 1120	3256	cmd.exe	18
PID 3256 wrote to memory of 2328	3256	cmd.exe	41
PID 3256 wrote to memory of 1736	3256	cmd.exe	30
PID 3256 wrote to memory of 2720	3256	cmd.exe	47
PID 3256 wrote to memory of 4748	3256	cmd.exe	65
PID 3256 wrote to memory of 3664	3256	cmd.exe	62
PID 3256 wrote to memory of 2120	3256	cmd.exe	39
PID 3256 wrote to memory of 1656	3256	cmd.exe	36
PID 3256 wrote to memory of 3100	3256	cmd.exe	85
PID 3256 wrote to memory of 1520	3256	cmd.exe	25
PID 3256 wrote to memory of 4276	3256	cmd.exe	73
PID 3256 wrote to memory of 2696	3256	cmd.exe	46
PID 3256 wrote to memory of 2692	3256	cmd.exe	51
PID 3256 wrote to memory of 1112	3256	cmd.exe	17
PID 3256 wrote to memory of 2884	3256	cmd.exe	52
PID 3256 wrote to memory of 2092	3256	cmd.exe	38
PID 3256 wrote to memory of 1500	3256	cmd.exe	72
PID 3256 wrote to memory of 2680	3256	cmd.exe	45
PID 3256 wrote to memory of 3856	3256	cmd.exe	59
PID 3256 wrote to memory of 448	3256	cmd.exe	87
PID 3256 wrote to memory of 896	3256	cmd.exe	11
PID 3256 wrote to memory of 1288	3256	cmd.exe	22
PID 3256 wrote to memory of 1676	3256	cmd.exe	29
PID 3256 wrote to memory of 2068	3256	cmd.exe	37
PID 3256 wrote to memory of 3052	3256	cmd.exe	50
PID 3256 wrote to memory of 4460	3256	cmd.exe	86
PID 3256 wrote to memory of 1660	3256	cmd.exe	28
PID 3256 wrote to memory of 672	3256	cmd.exe	7
PID 3256 wrote to memory of 2444	3256	cmd.exe	43
PID 3256 wrote to memory of 412	3256	cmd.exe	68
PID 3256 wrote to memory of 1456	3256	cmd.exe	89
PID 3256 wrote to memory of 2436	3256	cmd.exe	42
PID 3256 wrote to memory of 2628	3256	cmd.exe	44
PID 3256 wrote to memory of 3764	3256	cmd.exe	70
PID 3256 wrote to memory of 1244	3256	cmd.exe	21
PID 3256 wrote to memory of 4000	3256	cmd.exe	61
PID 3256 wrote to memory of 2412	3256	cmd.exe	75
PID 3256 wrote to memory of 1032	3256	cmd.exe	16

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:624
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:1020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:796
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3752
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4000
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4276
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1456
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1972
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:1640
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3704
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  - Loads dropped DLL
  PID:2008
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1172
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  PID:776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  PID:3052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344
- C:\Users\Admin\AppData\Local\Temp\0oj3.exe
  "C:\Users\Admin\AppData\Local\Temp\0oj3.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" create AutoRunService binPath="C:\Program Files\cmd.exe" type=own start=auto
        5⤵
        Launches sc.exe
        
        PID:2032
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" start AutoRunService
        5⤵
        Launches sc.exe
        
        PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Executes dropped EXE
PID:2212

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe be6f929faf988ac154423d4d932f6bc2 PaMcIzbLLk6Z/NCE3DLGfg.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:3100
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Loads dropped DLL
  PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Loads dropped DLL
PID:448

C:\Program Files\cmd.exe
"C:\Program Files\cmd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4208

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Loads dropped DLL
PID:4132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery