asyncrat | 0c4b7a3670f4ef5f7ba2d7e820cb3df837a72c08a4d039768b50617c06983308

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 62 IoCs

pid	Process
2700	cmd.exe
2452	svchost.exe
3052	cmd.exe
3736	RuntimeBroker.exe
2156	svchost.exe
1548	svchost.exe
5092	svchost.exe
1144	svchost.exe
1344	OfficeClickToRun.exe
1540	svchost.exe
948	svchost.exe
1932	svchost.exe
3700	svchost.exe
1728	svchost.exe
1924	svchost.exe
2904	svchost.exe
2508	SppExtComObj.exe
1324	svchost.exe
3468	svchost.exe
2104	spoolsv.exe
1312	svchost.exe
2492	unsecapp.exe
1112	svchost.exe
2292	svchost.exe
1696	svchost.exe
1104	svchost.exe
3664	svchost.exe
508	svchost.exe
900	svchost.exe
1668	svchost.exe
4324	TextInputHost.exe
4028	RuntimeBroker.exe
2720	svchost.exe
1268	svchost.exe
1640	svchost.exe
1660	svchost.exe
2444	svchost.exe
1048	svchost.exe
660	lsass.exe
1840	svchost.exe
2824	svchost.exe
64	dwm.exe
2624	svchost.exe
2816	svchost.exe
2616	sihost.exe
1432	svchost.exe
4380	RuntimeBroker.exe
3588	Explorer.EXE
1420	svchost.exe
1776	svchost.exe
2796	sysmon.exe
2200	svchost.exe
792	svchost.exe
3968	StartMenuExperienceHost.exe
1012	svchost.exe
612	winlogon.exe
2776	taskhostw.exe
1196	svchost.exe
2768	svchost.exe
2372	svchost.exe
4736	svchost.exe
988	svchost.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
5116	svchost.exe
1664	Conhost.exe
1748	svchost.exe
2888	TrustedInstaller.exe
1120	svchost.exe
1452	wmiprvse.exe
1960	mousocoreworker.exe
1652	svchost.exe
4496	TiWorker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe\""	cmd.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3608	0oj3.exe
3608	0oj3.exe
3712	cmd.exe
3712	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\cmd.exe	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\cmd.exe	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
456	sc.exe
4780	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C010A008A2DE"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735506882"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 29 Dec 2024 21:14:45 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={135192FF-D805-4E0D-B55C-F69E80226519}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799804213091231"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799804214810024"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3608	0oj3.exe
3608	0oj3.exe
3712	cmd.exe
3712	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
3608	0oj3.exe
3712	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	cmd.exe
Token: SeDebugPrivilege	2700	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeTakeOwnershipPrivilege	1668	svchost.exe
Token: SeLoadDriverPrivilege	1668	svchost.exe
Token: SeSystemtimePrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeShutdownPrivilege	1668	svchost.exe
Token: SeSystemEnvironmentPrivilege	1668	svchost.exe
Token: SeUndockPrivilege	1668	svchost.exe
Token: SeManageVolumePrivilege	1668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeTakeOwnershipPrivilege	1668	svchost.exe
Token: SeLoadDriverPrivilege	1668	svchost.exe
Token: SeSystemtimePrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeShutdownPrivilege	1668	svchost.exe
Token: SeSystemEnvironmentPrivilege	1668	svchost.exe
Token: SeUndockPrivilege	1668	svchost.exe
Token: SeManageVolumePrivilege	1668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeTakeOwnershipPrivilege	1668	svchost.exe
Token: SeLoadDriverPrivilege	1668	svchost.exe
Token: SeSystemtimePrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeShutdownPrivilege	1668	svchost.exe
Token: SeSystemEnvironmentPrivilege	1668	svchost.exe
Token: SeUndockPrivilege	1668	svchost.exe
Token: SeManageVolumePrivilege	1668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeTakeOwnershipPrivilege	1668	svchost.exe
Token: SeLoadDriverPrivilege	1668	svchost.exe
Token: SeSystemtimePrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeShutdownPrivilege	1668	svchost.exe
Token: SeSystemEnvironmentPrivilege	1668	svchost.exe
Token: SeUndockPrivilege	1668	svchost.exe
Token: SeManageVolumePrivilege	1668	svchost.exe
Token: SeShutdownPrivilege	1960	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	1960	mousocoreworker.exe
Token: SeAuditPrivilege	2768	svchost.exe
Token: SeShutdownPrivilege	4028	RuntimeBroker.exe
Token: SeAssignPrimaryTokenPrivilege	1668	svchost.exe
Token: SeIncreaseQuotaPrivilege	1668	svchost.exe
Token: SeSecurityPrivilege	1668	svchost.exe
Token: SeTakeOwnershipPrivilege	1668	svchost.exe
Token: SeLoadDriverPrivilege	1668	svchost.exe
Token: SeSystemtimePrivilege	1668	svchost.exe
Token: SeBackupPrivilege	1668	svchost.exe
Token: SeRestorePrivilege	1668	svchost.exe
Token: SeShutdownPrivilege	1668	svchost.exe
Token: SeSystemEnvironmentPrivilege	1668	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3712	3608	0oj3.exe	83
PID 3608 wrote to memory of 3712	3608	0oj3.exe	83
PID 3712 wrote to memory of 2700	3712	cmd.exe	90
PID 3712 wrote to memory of 2700	3712	cmd.exe	90
PID 2700 wrote to memory of 3480	2700	cmd.exe	93
PID 2700 wrote to memory of 3480	2700	cmd.exe	93
PID 3480 wrote to memory of 4900	3480	cmd.exe	95
PID 3480 wrote to memory of 4900	3480	cmd.exe	95
PID 2700 wrote to memory of 4780	2700	cmd.exe	96
PID 2700 wrote to memory of 4780	2700	cmd.exe	96
PID 2700 wrote to memory of 456	2700	cmd.exe	98
PID 2700 wrote to memory of 456	2700	cmd.exe	98
PID 2700 wrote to memory of 2452	2700	cmd.exe	43
PID 2700 wrote to memory of 5116	2700	cmd.exe	65
PID 2700 wrote to memory of 3736	2700	cmd.exe	62
PID 2700 wrote to memory of 780	2700	cmd.exe	9
PID 2700 wrote to memory of 2156	2700	cmd.exe	39
PID 2700 wrote to memory of 776	2700	cmd.exe	8
PID 2700 wrote to memory of 1664	2700	cmd.exe	85
PID 2700 wrote to memory of 1748	2700	cmd.exe	86
PID 2700 wrote to memory of 2888	2700	cmd.exe	91
PID 2700 wrote to memory of 1548	2700	cmd.exe	27
PID 2700 wrote to memory of 5092	2700	cmd.exe	68
PID 2700 wrote to memory of 1144	2700	cmd.exe	20
PID 2700 wrote to memory of 1344	2700	cmd.exe	72
PID 2700 wrote to memory of 1540	2700	cmd.exe	26
PID 2700 wrote to memory of 948	2700	cmd.exe	12
PID 2700 wrote to memory of 1932	2700	cmd.exe	34
PID 2700 wrote to memory of 3700	2700	cmd.exe	57
PID 2700 wrote to memory of 1728	2700	cmd.exe	30
PID 2700 wrote to memory of 1924	2700	cmd.exe	33
PID 2700 wrote to memory of 2904	2700	cmd.exe	52
PID 2700 wrote to memory of 2508	2700	cmd.exe	70
PID 2700 wrote to memory of 2704	2700	cmd.exe	73
PID 2700 wrote to memory of 1324	2700	cmd.exe	23
PID 2700 wrote to memory of 3880	2700	cmd.exe	58
PID 2700 wrote to memory of 3468	2700	cmd.exe	55
PID 2700 wrote to memory of 1120	2700	cmd.exe	19
PID 2700 wrote to memory of 2104	2700	cmd.exe	38
PID 2700 wrote to memory of 1312	2700	cmd.exe	22
PID 2700 wrote to memory of 2492	2700	cmd.exe	53
PID 2700 wrote to memory of 1112	2700	cmd.exe	18
PID 2700 wrote to memory of 2292	2700	cmd.exe	41
PID 2700 wrote to memory of 1696	2700	cmd.exe	29
PID 2700 wrote to memory of 1104	2700	cmd.exe	17
PID 2700 wrote to memory of 3664	2700	cmd.exe	71
PID 2700 wrote to memory of 508	2700	cmd.exe	14
PID 2700 wrote to memory of 900	2700	cmd.exe	11
PID 2700 wrote to memory of 1668	2700	cmd.exe	37
PID 2700 wrote to memory of 4324	2700	cmd.exe	74
PID 2700 wrote to memory of 1280	2700	cmd.exe	84
PID 2700 wrote to memory of 4028	2700	cmd.exe	60
PID 2700 wrote to memory of 2720	2700	cmd.exe	46
PID 2700 wrote to memory of 1268	2700	cmd.exe	21
PID 2700 wrote to memory of 1640	2700	cmd.exe	28
PID 2700 wrote to memory of 1660	2700	cmd.exe	36
PID 2700 wrote to memory of 2444	2700	cmd.exe	42
PID 2700 wrote to memory of 1452	2700	cmd.exe	88
PID 2700 wrote to memory of 1048	2700	cmd.exe	69
PID 2700 wrote to memory of 660	2700	cmd.exe	7
PID 2700 wrote to memory of 1840	2700	cmd.exe	32
PID 2700 wrote to memory of 2824	2700	cmd.exe	51
PID 2700 wrote to memory of 64	2700	cmd.exe	13
PID 2700 wrote to memory of 2624	2700	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:780
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Executes dropped EXE
PID:660

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Modifies registry class
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3880
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:1036
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2704
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1452
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3140
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
PID:508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1120
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1420
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:3588
- C:\Users\Admin\AppData\Local\Temp\0oj3.exe
  "C:\Users\Admin\AppData\Local\Temp\0oj3.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" create AutoRunService binPath="C:\Program Files\cmd.exe" type=own start=auto
        5⤵
        Launches sc.exe
        
        PID:4780
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" start AutoRunService
        5⤵
        Launches sc.exe
        
        PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Executes dropped EXE
PID:3664

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 6b6a82f0786ae23f9eb64979f452c5a3 9qSHcJymP0CteioRg+9DsQ.0.1.0.0.0
1⤵
PID:1280
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Loads dropped DLL
  PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Loads dropped DLL
PID:1748

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Loads dropped DLL
PID:2888

C:\Program Files\cmd.exe
"C:\Program Files\cmd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery